On the 20th May, Orange and Barclaycard launched Quick Tap the UK's first contactless mobile phone service but is it all hype or is this really the start of something to come ?
The payment application is based on MasterCard's PayPass technology which has been installed in 50,000 terminals in the London area. Retailers accepting PayPass include McDonalds, Little Chef, Subway, Pret a Manger and Eat. Customers can make purchases up to a value of £15
Before looking at the technology, it is clear that there is a very limited population of terminals in the UK and we are told by retailers that the business case for changing terminals to contactless doesn't warrant the cost. From the consumers point of view he gets to tap and go since no PIN is required. For both Merchant and consumer this should lead to a smoother payment experience and shorter queues.
The phone is the Samsung Tocco Quick Tap, this is not an Android or NFC phone instead it uses an active SIM which means the SIM card contains the smart card chip and an ISO 14443 antenna. It's really quite incredible it works at all with such a small antenna and the fact that the SIM card connector has a metal top plate. The advantage of the Active antenna is that the power is supplied from the phone battery, with a normal contactless card you are relying on absorbing power from the antenna to power the smart card chip. This will significantly increase the antenna range for a given size. I wouldn't give much for your chances if the chip had to be powered from the antenna.
The blurb that comes with the phone makes it clear that both the location and orientation of the phone against the reader are critical. There is a quick Tap square clearly marked on the back cover of the phone. Now here's something interesting, the spot to touch on the back cover is not actually over the SIM card, it's directly over the battery. A more careful look at the back cover and you can see it has got a stick on sheet across the complete back cover. There's only one simple explanation and that is the sticky encapsulates a transformer effect between two coils where one is placed over the SIM and the other much larger area coil behind the sweet spot marked on the cover. This gives an amplification effect over the very small SIM antenna.
Barclays/Barclaycard have so far issued over 11 million contactless cards in the UK which sounds a lot but you never seem to see them, probably because there are so few places you can use them.
The MasterCard PayPass technology is used in the SIM card and this is the smart version not the magnetic stripe emulation widely used in North America. However it should be noted that the security still depends on whether the terminal knows the necessary keys to check the transaction cryptograms. Are we using symmetric or asymmetric cryptography in these implementations? If it's symmetric crypto then you are relying on the merchant terminal either taking a risk or going for an on-line authorization which just seems to defeat the purpose of low value transactions. This is based on the assumption that the terminals are highly unlikely to be given symmetric keys.
However, I have saved the best bit till last, the SIM card (i.e. the UICC) is provided by Gemalto as part of their Trusted Service Management. In other words Orange and Barclays are sharing the SIM with Gemalto as the trusted overlord. This is the most significant commercial TSM scheme I am aware of and from the whispers I have heard it took longer to complete the legal agreements than the whole technical development.
Many observers are convinced that the financial institutions will go the MicroSD route to manage their applications in a smart card chip embedded in the card, like a double SIM but not controlled by the Network Operator. I can only observe that we do still seem to be having problems with NFC, the much glorified Samsung Galaxy S2 arrived in the UK last month specified as an NFC phone but strangely the NFC chip appears to have been disabled. It's there alright, the NXP PN544 but deathly quiet. Apparently, Samsung are waiting for the MNOs to prepare their NFC applications, isn't that interesting? But you can't blame them because the MNOs are the biggest purchaser of mobile phones!
I just wanted to tell you how painful it was to set up the new Quick Tap phone, yes, I rushed out to buy one so that I could try it out. Nothing to do with the man in the Holborn Orange store, thank you James you were unbelievably helpful in getting me going. However, the Orange automated on-line help system was most unhelpful. I followed the instructions that came with the phone and contacted the given number, it was one of those if you want this press 1 type automated conversations. Anyway after about half a dozen ambiguous questions I was suddenly told that Orange could not help me and the line was cut dead. How wild does that make you?
Not wishing to give up I then tried to register my Barclaycard with the PayPass application on the phone. Even following instructions the event took about an hour partly because of all the information they ask that you don't know and have to go searching for. I've also lost track of how many pins and passwords had to be invented during the registration process, I think it was 5 or more and they all had to be the right form and length and yes, each one was different. To the MD of Barclays, I challenge you, get one of these phones and try and set it up to make contactless payments and to the guys in the security department you may think it's secure but it's close to unworkable.
Am I the only one that thinks we have lost the plot in how to efficiently authenticate customers?
Dr. David Everett, Smartcard & Identity News