Payments – Page 14 – Digital Finance Analytics (DFA) Blog

Apple rejects banks’ ploy for access to iPhone NFC capabilities

Apple says it “strongly urges” the Australian Competition and Consumer Commission (ACCC) to reject an application from three of the four major banks that would see them able to band together in order to negotiate access to the company’s digital wallet system.

Last month the Commonwealth Bank of Australia, National Australia Bank and Westpac, as well as Bendigo and Adelaide Bank, applied to the ACCC for the right to engage in collective negotiations over, and potentially boycott, third-party digital wallets including Apple Pay, Google Pay and Samsung Pay.

One bugbear of the banks outlined in their application is the refusal of Apple to open up access to the iPhone’s NFC antenna in order for third party iOS applications to be used for contactless payments.

So far ANZ is the only one of Australia’s big four banks to strike a deal to offer Apple Pay to its customers. “Apple has struggled to negotiate agreements with the Australian Banks and only recently signed an agreement with ANZ,” Apple said in a response lodged with the ACCC that was first noted by the AFR.

The other banks “based on their limited understanding of the offering… perceive Apple Pay as a competitive threat”, Apple argued.

The goal of the banks banding together “is to force Apple and other third party providers to accept their terms, allow them to charge consumers that choose to use Apple Pay, and force Apple to undermine the security of its mobile payment service by opening access to the NFC antenna, placing at risk the consumer experience of a simple, secure, and private way to make payments in store, within applications or on the web.”

Apple said it could not identify any public benefits that could arise from the banks being authorised to engage in a collective boycott.

The banks’ application to the ACCC notes: “Some issuers in other countries have expressed concern that Apple has not allowed other mobile payment apps to use the iPhone’s NFC payment functionality…”

“Providing simple access to the NFC antenna by banking applications would fundamentally diminish the high level of security Apple aims to have on our devices,” Apple argued in response.

Will Internet Users Start Using Mobile Payment Apps Anytime Soon?

From Emarketer.

Mobile payment apps have been around for a while, but its seems people aren’t rushing to use them anytime soon, according to April 2016 research. In fact, more than three-quarters of US internet users said they are very or somewhat unlikely to start using a mobile payment app within the next 12 months.

The likelihood of respondents using a mobile payment app soon was low, data from Citi Cards uncovered. Just 21% of internet users said they were likely to start using one in the next year.

However, separate research from Retale revealed that consumers may in fact be warming to mobile payments. Internet users surveyed in 2015 said that retailers should offer mobile payments in-store, and many were interested in using mobile payments to make an in-store purchase during the holiday season.

Furthermore, eMarketer estimates that proximity mobile payments in the US will ramp up aggressively this year. Transaction value will triple in 2016 due to a growing user base, broader merchant acceptance and the greater frequency of consumers using their phones to make point-of-sale payments on medium- and high-priced products.

How contactless cards are still vulnerable to relay attack

From The Conversation.

Contactless card payments are fast and convenient, but convenience comes at a price: they are vulnerable to fraud. Some of these vulnerabilities are unique to contactless payment cards, and others are shared with the Chip and PIN cards – those that must be plugged into a card reader – upon which they’re based. Both are vulnerable to what’s called a relay attack. The risk for contactless cards, however, is far higher because no PIN number is required to complete the transaction. Consequently, the card payments industry has been working on ways to solve this problem.

The relay attack is also known as the “chess grandmaster attack”, by analogy to the ruse in which someone who doesn’t know how to play chess can beat an expert: the player simultaneously challenges two grandmasters to an online game of chess, and uses the moves chosen by the first grandmaster in the game against the second grandmaster, and vice versa. By relaying the opponents’ moves between the games, the player appears to be a formidable opponent to both grandmasters, and will win (or at least force a draw) in one match.

Similarly, in a relay attack the fraudster’s fake card doesn’t know how to respond properly to the payment terminal because, unlike a genuine card, it doesn’t contain the cryptographic key known only to the card and the bank that verifies the card is genuine. But like the fake chess grandmaster, the fraudster can relay the communication of the genuine card in place of the fake card.

For example, the victim’s card (Alice, in the diagram below) would be in a fake or hacked card payment terminal (Bob) and the criminal would use the fake card (Carol) to attempt a purchase in a genuine terminal (Dave). The bank would challenge the fake card to prove its identity, this challenge is then relayed to the genuine card in the hacked terminal, and the genuine card’s response is relayed back on behalf of the fake card to the bank for verification. The end result is that the terminal used for the real purchase sees the fake card as genuine, and the victim later finds an unexpected and expensive purchase on their statement.

The relay attack, where the cards and terminals can be at any distance from each other. Author provided

Demonstrating the grandmaster attack

I first demonstrated that this vulnerability was real with my colleague Saar Drimer at Cambridge, showing on television how the attack could work in Britain in 2007 and in the Netherlands in 2009.

In our scenario, the victim put their card in a fake terminal thinking they were buying a coffee when in fact their card details were relayed by a radio link to another shop, where the criminal used a fake card to buy something far more expensive. The fake terminal showed the victim only the price of a cup of coffee, but when the bank statement arrives later the victim has an unpleasant surprise.

At the time, the banking industry agreed that the vulnerability was real, but argued that as it was difficult to carry out in practice it was not a serious risk. It’s true that, to avoid suspicion, the fraudulent purchase must take place within a few tens of seconds of the victim putting their card into the fake terminal. But this restriction only applies to the Chip and PIN contact cards available at the time. The same vulnerability applies to today’s contactless cards, only now the fraudster need only be physically near the victim at the time – contactless cards can communicate at a distance, even while the card is in the victim’s pocket or bag.

While we had to build hardware ourselves (from off-the-shelf components) to demonstrate the relay attack, today it can be carried out with any modern smartphone equipped with near-field communication chips, which can read or imitate contactless cards. All a criminal needs is two cheap smartphones and some software – which could be sold on the black market, if it is not already available. This change is likely the reason why, years after our demonstration, the industry has developed a defence against the relay attack, but only for contactless cards.

A rigged payment terminal capable of performing the relay attack can be made from off-the-shelf components. Author provided
Closing the loophole

The industry’s defence is based on a design that Saar and I developed at the same time that we demonstrated the vulnerability, called distance bounding. When the terminal challenges the card to prove its identity, it measures how long the card takes to respond. During a genuine transaction there should be very little delay, but a fake card will take longer to respond because it is relaying the response of the genuine card, located much further away. The terminal will notice this delay, and cancel the transaction.

We set the maximum delay to 20 nanoseconds – the time it takes a radio signal to travel six metres; this would guarantee the genuine card is no further away than this from the terminal. However, the contactless card designers made some compromises in order to be compatible with the hundreds of thousands of terminals already in use, which allows far less precise timing. The new, updated card specification sets the maximum delay the terminal allows at two milliseconds: that’s two million nanoseconds, during which a radio signal could travel 600 kilometres.

Clearly this doesn’t offer the same guarantees as our design, but it would still represent a substantial obstacle to criminals. While it’s enough time for the radio signal to travel far, it’s still a very short window for the software to process the transaction. When we demonstrated the relay attack it regularly introduced delays of hundreds or even thousands of milliseconds.

It will be years before the new secure cards reach customers, and even then only some: there is only one Chip and PIN specification, but there are seven specifications for contactless cards, and only the MasterCard variant includes this defence. It’s not perfect, but it makes pragmatic compromises that should prevent smartphones being used by fraudsters as tools for the relay attack. The sort of custom-designed hardware that could still defeat this protection would require expertise and expense to build – and the banks will hope that they can stay ahead of the criminals until the arrival of whatever replaces contactless cards in the future.

Author: Steven J. Murdoch, Royal Society University Research Fellow, UCL

Under Pressure, US Banks Vie for Instant Payment Market

From NY Times.

In this digital age when almost anything can be had in an instant, the movement of money can seem glaringly slow.

Most people paying a housekeeper or collecting money for an office pool still use cash or a check, which can take days to go through — a relative eternity that banking regulators worry is impeding commerce and economic growth.

The slowness has led many Americans to new mobile services, like PayPal’s Venmo or Square Cash, which make it possible to pay a friend instantly with just a phone.

Venmo processed nearly $4 billion in P2P payments last quarter, which represented 141% growth from the prior-year quarter. By comparison, mobile payments processed at PayPal’s core app rose 56% annually to $24 billion.

PayPal’s total processed payments — which include its website, third-party sites, retail stores, and Xoom — rose 29% on a constant-currency basis to $86 billion during the quarter. Venmo might seem small when compared to PayPal’s entire business, but it’s also its fastest-growing platform. However, Venmo is already facing lots of competition in the P2P payments space.

Now, the banks are catching up. On Monday, Wells Fargo joined JPMorgan Chase, Bank of America and US Bank in allowing customers to send money in seconds to one another’s bank accounts using just a phone number or email address. Customers of the biggest banks can now use their mobile phones, say, to send money instantly to a child in college who needs cash.

“We pay attention to what customers are asking for, and we are doing all the things we need to stay competitive,’’ said Brett Pitts, who leads digital initiatives at Wells Fargo.

The stakes are high: Banks are under broad pressure both from the Federal Reserve, which has a “faster payments committee” aimed at requiring immediate improvements, and from tech companies like PayPal and Apple, whose Apple Pay service was a bright spot in its recent earnings report.

All these companies, and Visa and MasterCard, are competing to build and control the payment network of the future.

Banks are promoting their new services as cool and convenient: One Chase advertisement shows the basketball star Stephen Curry dribbling a basketball while making an instant payment on his phone.

American bank executives fear that they could lose ground to plucky payment companies like Venmo, a popular choice among millennials who want to pay each other — and send emoji-filled messages to their friends.

The banks worry that if they do not respond with their own instant payment offerings, they will be relegated to performing less-profitable back-office functions for hip new payment companies, which make their money primarily by charging small fees to customers who pay by credit card rather than directly from a bank account.

The person-to-person payment market is valuable because it allows financial companies to gain the first point of contact with a consumer and then try to sell them other products like loans.

Analysts predict that eventually the new payments network could be extended to connect consumers with merchants, providing a potentially lucrative source of fees for banks.

“It’s like owning a toll road: You are going to get paid by everybody that uses it,” said Gareth Lodge, a payments analyst at Celent, a financial consulting firm.

Mastercard and Visa, which have a tight grip on payments made with credit and debit cards, are also trying to gain a foothold in these new networks.

Late last month, Mastercard acquired a majority stake in VocaLink, the company that operates a mobile and internet payment network in the United Kingdom and is helping to develop an even broader system in the United States. Also, Visa recently announced a broad partnership with PayPal that will make both of their offerings more instantaneous.

Instant person-to-person payment is something that people in many other countries have been able to do for years, and the absence of the service in the United States has been a marker of the relative backwardness of American banks.

The banks began developing the system being introduced this year in 2011, when Bank of America, JPMorgan and Wells Fargo created a network called clearXchange. That system has already allowed bank customers to send each other money using just an email address or cellphone number, but transactions were not instant until this year.

In addition to payments technology that the nation’s largest banks are rolling out this summer, banks that belong to an industry group called the Clearing House are developing a broader network that will allow businesses and even governments to make large instant payments.

A fast and efficient payment network also has implications for the economy. Federal officials and analysts say the current lag time between when a payment is sent and when the money is cleared to spend can hinder businesses from balancing their books and managing their supplies. The lag also puts the United States at a disadvantage compared with, say, Europe, where banks are far ahead in making payments instantaneous.

The banks now face a challenge to make their real-time technology easy enough to lure customers away from start-ups like Venmo.

With Venmo, a user can send money to anyone simply by tapping into the app and entering a phone number or email address. By contrast, customers of JPMorgan Chase, for example, must log into their Chase app using their password, then navigate through a series of somewhat clunky tabs to initiate a transaction with QuickPay. The banks also lack the social networking capabilities that have helped make Venmo a hit.

Talie Baker, a payments analyst at the Aite Group, a banking consultancy, said that even her friends who have Chase’s service often do not think it is worth using. “I can’t get anybody to accept a Chase QuickPay payment from me,” she said. “Banks are probably going to start losing market share if they don’t make their applications as easy to use as Venmo is.”

Chase and the other banks say the additional steps they ask of customers provide more security. The banks also say they are already handling significantly more personal payments than Venmo and other competitors like Square Cash.

Chase said that last year it processed about $20 billion in so-called peer-to-peer payments, while Venmo handled about $10 billion. PayPal as a whole made about $40 billion in such payments, the company said.

The banks should have a significant advantage over technology companies, given the sheer number of customers they already have, payment industry analysts say.

PayPal and the banks say the most immediate opportunity is not taking business from one another, but cannibalizing the enormous number of payments that are still made by cash and check, which represent more than three-quarters of all peer-to-peer transactions.

Bill Ready, who oversees Venmo at PayPal, said he was happy that American banks were finally catching up with the progress that has been made in most other developed countries.

“The rest of the world has already been here a long time,” he said. “To see an industry move is a great thing.”

ANZ and Amex the winners in Australia’s banks’ fight with Apple over payment apps

From The Conversation.

Australia’s banks have always enjoyed a lucrative income from credit card “interchange fees”, the charges that the banks levy on merchants’ sales. These fees amount to AU $2.5 billion a year which are ultimately passed on to consumers.

Unwilling to share any of this revenue with Apple, all but ANZ and American Express have refused to adopt Apple Pay. Instead, four of the largest banks, NAB, Westpac, Commonwealth and Bendigo and Adelaide have asked Australia’s competition regulator, the ACCC, for permission to act collectively to negotiate with Apple over access for their own digital wallet products on its phones, tablets and watches.

The banks, along with their industry representatives are claiming that they are taking this action in the interest of providing “Australians with real choice and better outcomes”. They are also allegedly concerned about security and standards surrounding the way in which customers add their cards to Apple Pay.

Even if granted, the likelihood of Apple negotiating access to the underlying payment mechanisms in the phone to the Australian banks is zero. Ceding on this would not only require Apple to create the mechanisms by which third parties could integrate with the hardware and software in their devices but it would essentially be giving up on the substantial global revenue derived from Apple Pay that is only set to grow.

Giving in to Australian banks, which in total represent a small fraction of their overall Apple Pay earnings, would mean opening up access to Apple Pay to every bank globally. Something that Apple would never do. Apple would be more likely to forego Australia altogether before taking that radical a step.

If anyone had an anti-competitive complaint to make, it would be Google and Samsung whose Apple Pay alternatives, Android Pay and Samsung Pay are also not compatible with the iPhone platform. The fact that they haven’t complained about this as such is because it wouldn’t be worth their while competing with Apple Pay which is integrated into the underlying operating system.

The banks would like to claim that their own technology somehow would be better than using Apple Pay. The banks’ tap and pay apps however require opening them up and entering a PIN, logging in or using a fingerprint login, rather than simply holding the phone against the tap and pay terminal with your thumb on the home button. The banks’ apps have also been historically beset with issues and delays in supporting new versions of Android in particular.

Perhaps Apple should not feel particularly victimised however. The Commonwealth Bank, Westpac and NAB have rejected any support for Android Pay or Samsung Pay as well.

ANZ is the only Australian bank to have taken on Apple Pay after originally being part of the other banks’ initiative to collectively bargain with Apple. The move by ANZ CEO Shayne Elliott to be the bank to adopt the latest mobile digital technology is a smart one because it has clearly differentiated ANZ as a technological leader in this space. Elliott claims that the support of Apple Pay has attracted new customers to the bank.

ANZ’s and American Express’s support for Apple Pay and Android Pay has actually given customers what they want. What they want is to be able to use what large numbers of other people in other countries can use. Being part of the “Apple” or “Samsung” or “Android” group forms part of a user’s self and social identities and fulfils a psychological need of relatedness. Being excluded from this group by banks whose predominant consideration is profits will only cause dissatisfaction and resentment amongst their customers.

ANZ’s acceptance of Apple Pay will presumably also weaken the case of the other banks that they are being disadvantaged by Apple’s closed payment system. The brinkmanship of the banks will come to a head next year when the NSW transport system starts trialling the use of tap-and-pay cards to pay for travel. If the experience in London is anything to go by, this will drive even greater use of mobile tap-and-pay which for iPhone or Apple Watch users benefits only ANZ, American Express and Apple.

Author:David Glance, Director of UWA Centre for Software Practice, University of Western Australia

Android Pay arrives in Australia

From IT Wire.

Google’s Android Pay mobile payments system has arrived in Australia with American Express and Visa cards first off the rank, with MasterCard to be added “in a few days”.

Like Apple Pay, Android Pay uses the combination of NFC and tokenisation to allow a mobile phone to be used in place of a contactless payment card. And there’s a mechanism for in-app payments, again like Apple Pay.

The first round of Australian financial institutions backing Android Pay are American Express, ANZ, Bank Australia, Bank of Sydney, Beyond Bank, CAPE Credit Union, Central West Credit Union, EECU, First Option Credit Union, Goulburn Murray Credit Union, Holiday Coast Credit Union, Horizon Credit Union, Intech Credit Union, Laboratories Credit Union, Macquarie Bank, Mystate Bank, Northern Inland Credit Union, People’s Choice Credit Union, QT Mutual Bank, Queenslanders Credit Union, South West Slopes Credit Union, Sydney Credit Union, Teachers Mutual Bank, The Mac, The Rock, WAW Credit Union Co-Operative, Woolworths Employees’ Credit Union, and Wyong Shire Credit Union.

And “coming soon” are Bank of Melbourne, Bank SA, Bendigo Bank, RAMS, St George Bank, and Westpac.

NAB and Commonwealth are notable by their absence, but both have their own mobile payment apps already (NAB, CBA).

Google’s list of participating institutions will be kept updated.

Early adopters of in-app Google Pay include Catch of the Day, GoCatch, Jetstar, Kogan and Menulog.

The Google Pay app is supposed to work with any non-rooted NFC-enabled Android device running KitKat 4.4 or later. But there are some reports that it is not working with all phones meeting that specification.

ANZ becomes first major Australian bank to offer Android Pay

ANZ says today it became the first major bank to launch Android Pay in Australia. ANZ customers can now use Android Pay to make simple and secure purchases wherever contactless payments are accepted with either an ANZ Visa debit or credit card, or an ANZ American Express credit card.

ANZ Chief Executive Officer Shayne Elliott said:

Being the first major bank in Australia able to offer Android Pay is another important milestone for ANZ as we work to build the best digital bank for our customers. Given Android is the most popular smart phone operating system in Australia, we know today’s announcement will be well received by both our retail and merchant customers.

Google Senior Director Product Management Pali Bhat said:

We’re excited to bring the simplicity and security of mobile payments to ANZ customers with Android Pay. “Using Android Pay is more secure – and much faster – than rummaging through your wallet for a plastic card. Starting today, people will be able to use their Android device to pay at almost 800,000 contactless payment terminals in Australia.

ANZ customers with an eligible Android device can now choose Android Pay or ANZ Mobile Pay at retailers that accept contactless payments anywhere in Australia. Android devices with the KitKat operating system or later can use Android Pay through the Near Field Communication chip in the phone or tablet to make purchases. Android Pay uses tokenisation security to generate a unique number for each purchase so customer card details are never actually shared with the retailer directly.

PayPal takes $85m slice of SME lending pie

According to The Australian Business Review, PayPal Working Capital has extended more than $85m to about 3,000 small businesses since launching in Australia in late 2014.

In contrast, Prospa — the biggest “fintech” online small business lender — in May revealed it had cracked the $150m mark after four years of operations.

SocietyOne, the biggest “marketplace” lender, which has also been in business for four years, pushed through $100m personal loans in April.

PayPal’s product is also different as we described in an earlier post, with the unsecured loan of up to $97,000 being offered only to merchants that use its payments network, so borrowed funds can be instantly distributed following a five-minute application.

There’s a one-off upfront fee and repayments come out of daily sales, typically between 10 per cent and 30 per cent of turnover.

Interest rates are typically in the “teens and 20 per cent” range, differing based on merchants’ repayment choices and risk.

Including the US and Britain, PayPal Working Capital recently surpassed $US2 billion ($2.6bn) in loans. While Australia makes up a small piece of the pie, the business is profitable.

New instant card feature for NAB Pay

NAB customers can now continue using their personal Visa credit cards through NAB Pay within minutes of a replacement card being issued if their card has been lost or stolen.

This new instant card feature means customers who have NAB Pay on their compatible Android device can keep paying with their replacement card, without having to wait days for their physical card to arrive in the mail.

Customers who need to arrange a replacement card can call NAB and will be able to link to their new card in their NAB Pay digital wallet, making it immediately available to use.

An additional six NAB Visa credit cards will also be added to NAB Pay from today, which means all personal NAB Visa credit cards can be used on NAB Pay.

Independent research recently undertaken by global intelligence and digital media provider RFi Group showed that banks are the most trusted provider of mobile payments, with almost 80 per cent of consumers saying they would most trust their main bank to provide them with a mobile payment service.

Launched in January, NAB Pay is rapidly being adopted by customers, with more than 225,000 debit and credit transactions made through the app in the last six months.

NAB is the first Australian bank to utilise Visa Token Service in Australia, providing an important extra layer of security for customers.

Tokenisation replaces a customer’s credit card number with a unique digital ‘token’ that can be used for digital payments, without revealing sensitive account information.

NAB Pay is available as part of the NAB Mobile Internet Banking App on compatible Android devices, and can be used wherever contactless payments are accepted.

Charging for credit and debit card use may become the norm under new rules

From The Conversation.

New standards on how much businesses can surcharge their customers for credit or debit card purchases start in September. However, it’s not clear how the rules will be policed and whether this will lead to all businesses enforcing a surcharge, rather than just those who choose to.

The Reserve Bank of Australia (RBA) has revised the regulations, aiming to limit the amount merchants can surcharge customers for paying by credit or debit cards. The new rules will initially apply to large merchants, defined as those employing over 50 staff, as these businesses are seen to be overcharging the most.

Businesses have been able to add on surcharges to these type of purchases in Australia since January 2003. This was part of RBA regulatory interventions in the first place, as it originally allowed merchants to surcharge in order to recover the costs of accepting card payments. The surcharges can be ad valorem (in proportion to the value of the transaction) or a fixed dollar amount.

A current example is that taxi fares using a Cabcharge terminal, whether they be paid by charge, credit or debit card, are surcharged at the same ad valorem level of 5%, as a processing fee. Not all the goods and services suppliers who accept card payments chose to impose surcharges on their customers, but a significant and seemingly ever increasing of them do surcharge.

The Australian airlines are well known for their fixed dollar surcharges. Qantas charges a card payment fee (per passenger, per booking) of $2.50 for debit and $7.00 for credit, on domestic flights and $10 for debit and $30 for credit, on international flights.

JetStar charge a booking and service fee (per passenger, per flight) of $8.50 domestic and up to $12.50 for international, whilst Virgin charges a Fee of $7.70 for payments made by credit or debit card. These examples of surcharging have caused much angst amongst consumers and the recent Financial System Inquiry had over 5,000 submissions to its final report, complaining about surcharging, particularly by airlines.

But how will the new standards be enforced? In February, The Australian Competition and Consumer Commission (ACCC) was given the power to issue infringement notices worth up to just over $100,000 to listed corporations who charge their customers excess payment card surcharges

These are defined as charges that exceed the costs of acceptance of payment cards. It remains to be seen if the size of these penalties deters merchants from excessive surcharging.

In May, the RBA published new standards as to the average cost a merchant is permitted to charge for accepting credit or debit cards. These apply to the following so-called card schemes, EFTPOS; MasterCard credit and debit; Visa credit and debit and American Express companion cards, issued by Australian banks.

Under the new rules the average cost of accepting a debit or credit card is defined in percentage terms of cost of the transaction. This will vary by merchant, but it means that merchants will not be able to levy fixed dollar surcharges.

The permitted surcharge for an individual merchant will be based on an average of their card costs over a 12 month period. In the interests of transparency, the financial institution who processes each merchant’s transactions, will be required to provide regular statements of the average cost of acceptance for each of the card schemes.

This information will of course also be important for the ACCC in any cases where enforcement is required if merchants are surcharging excessively.

Now that surcharges are well defined by the RBA, the risk is that surcharging will become a normal extra charge like GST, an unintended consequence of the new rules. Also why should merchants be allowed to charge their customer a surcharge for such payments, which are surely just another cost of doing business, just as is their utility bills and employee wages?

The ACCC is currently finalising guidance material for consumers and merchants which will provide further information on the ACCC’s enforcement role and how consumers can make complaints if they believe that a surcharge is excessive.

Surcharges on card payments have certainly already provoked rage amongst consumers, the final question is, will the next iteration of surcharge standards make surcharging the norm?

Author: Steve Worthington, Adjunct Professor, Swinburne University of Technology