OMNY card completes the EMV only OMNY system (updated for Apple Pay OMNY)

After a long gestation, and a COVID related delay, the good old swipe MetroCard replacement has finally shipped. OMNY card: a ‘truth in the cloud’ EMV bank payment card, not a MIFARE or FeliCa ‘truth in the card ‘ smartcard like London Oyster or Tokyo Suica. As MetroCard missed the transit smartcard revolution of the early 2000’s, MTA and ticketing system management company Cubic Transportation Systems decided to go all in with a new system built on EMV and open loop, i.e. using ‘open payment‘ EMV contactless credit/debit cards for transit fare foundation instead of dedicated transit cards. It’s a ‘one size fits all’ approach where bank payments cards are promoted for every kind of purchase. The coming addition of fare capping, i.e. OMNY card features without OMNY card, further reduces the need for OMNY card commuter passes and encourages credit/debit card use.

The piecemeal OMNY rollout has not been an easy transition for MetroCard users. One problem with one size fits all open loop is that different people have different needs: minors, seniors, disabled, daily commuters with set routes, people without credit cards and so on. Even with fare capping open loop cannot handle these well, if it did TfL would have killed Oyster card long ago. Hence OMNY card is a closed loop OMNY branded EMV card with CVV security number, likely from a Mastercard issuing agency, similar to the Mastercard closed loop Ventra and Opal digital cards. Like Ventra card, OMNY card comes in plastic and the digital version will come to Apple Pay and Google Pay ‘soon’, although MTA has not given any launch window for OMNY iOS and Android apps that will be necessary for adding OMNY to Wallet and for recharge.

As most of the open loop systems in North America, UK and Australia are designed and managed by Cubic it’s helpful to compare their ticketing system profiles.

When you carefully analyze the different systems and Express Mode transit support listed on the Where you can ride transit using Apple Pay support page, one condition becomes clear: current transit systems do not support Apple Pay Transit cards and EMV Express Transit when the system uses both MIFARE and EMV open loop. It’s a choice between supporting one or the other, not both. I suspect Apple does this because of the complexity supporting MIFARE and EMV mixed mode operations on the same transit system.

OMNY is a new system however, built completely on EMV and EMV only. When Apple Pay OMNY launches, OMNY will be the first system to support both EMV as an Apple Pay transit card and EMV Express Transit mode for credit/debit cards. There is a catch however similar to using Apple Pay China T-Union cards: turning on one card for Express Transit turns off other cards. This happens when cards share the same NFC ID number which would result in card clash at the gate reader. When cards share the same ID, only one card can be set for Express Transit mode at any one time. For EMV cards this applies to payment cards as well so Express Transit Card settings will likely turn off any activated payment cards when an OMNY card to turned on, and vice versa.

After OMNY card is launched on Apple Pay and Google Pay, the next OMNY challenge will be integrating Metro-North and LIRR commuter rail ticketing. A difficult task as none of the train line are equipped with NFC card readers. MTA has yet to unveil any commuter rail ticketing integration details. Ventra has the same problem, commuter rail ticketing remains the age old conductor visual inspection, no tap and go contactless for you. And as ever there are thorny open loop user data privacy issues.

OMNY truly represents the state American public transit as it tries to get on board with mobile payments. Progress is good and welcome but a real next generation vision with meaningful forward development of American public transit will continue to be a confused mess despite endless broken promises to fix it…simply because people with money and means don’t use it. If they did, things would have been fixed long ago.

Are Chinese manufactured PAX NFC readers a security risk?

Probably not, but the FBI Raids Chinese Point-of-Sale Giant PAX Technology report from Krebs on Security has some thrilling bits:

“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”

The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.

“My sources say that there is tech proof of the way that the terminals were used in attack ops,” the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”

Krebs on Security

FBI, MI5, unnamed sources? Sounds like a spy novel. The original Jacksonville WOKV report is down to earth local news reporting with the official statement from the FBI: “The FBI Jacksonville Division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office, is executing a court-authorized search at this location in furtherance of a federal investigation. We are not aware of any physical threat to the surrounding community related to this search. The investigation remains active and ongoing and no additional information can be confirmed at this time.”

PAX NFC terminals and POS systems support EMV, FeliCa and MIFARE protocols and are used extensively in Japan in nationwide POS systems such as FamiMart and Doutor Coffee chains. However it’s important to remember that each protocol has a hardware certification process, for EMVCo, for FeliCa Networks and for MIFARE. Card companies also have their own hardware security and certification. And even though the story sounds scary, we don’t know what ‘major financial provider’ POS systems are pulling PAX readers*, what hardware models are involved and what kind of POS software they run (provided by PAX? Developed in-house?), or what exactly the FBI are investigating.

That said, this is much more real and interesting than the silly Apple Pay EMV Express Transit VISA security scare story pushed by the BBC, mindlessly repeated by tech sites and dubious ‘security experts’ who scare people into buying their ‘services’. The so-called Apple Pay EMV Express Transit VISA exploit was just a lab experiment, this is happening in the field. The PAX story won’t get much press however because it does’t have ‘Apple Pay’ in the headline. At least not yet…I’m sure some media hack out there will come up with one, something like ‘Apple Pay sends your personal payment data to China’. Only then will people start paying attention.

*UPDATE 2021-11-03
Bloomberg reports FIS Worldpay (also based in Jacksonville next door to PAX…interesting eh?) is pulling PAX NFC readers from client systems and replacing them with Verifone and Ingenico NFC readers. FIS said, “While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible.” No evidence but Worldpay is replacing PAX readers anyway…based on what exactly, heresy?

PAX NFC readers comprise less than 5% of Worldpay client POS installations so we’re not talking big numbers. Meanwhile PAX has issued a long winded statement (PAX Technology announcement and resumption of trading) addressing and refuting the security risk claims from Krebs and FIS saying it’s only a geolocation feature. We don’t know which PAX reader models are involved but I suspect they are Android based. That’s the problem with all those crappy Android OS based POS+NFC all in one terminals: not only do they have lousy Android performance, they have all the Android security risks too. Dedicated hardware is way better, performance-wise and security-wise.

My Cousin Apple Pay

So the EU is going ahead with ‘open NFC’ antitrust charges against Apple. As posted back in August 2020, the whole open vs closed debate is not easy to define. It’s probably easier to look at it from the simplistic App Store debate of letting developers bypass Apple’s in-app payment mechanism to avoid paying the ‘Apple Tax’, because that’s the box most people will understand.

We’ve already seen banks and Apple chafing over transactions fees on multiple occasions, the latest being ‘Banks Pressuring Visa to Cut Back on Apple Pay Fees‘ because Apple dared release their own credit card under the Mastercard brand via Goldman Sachs. German banks and Australian banks in particular demand the right to use iPhone NFC in their own payment apps instead of Wallet so they can harvest the user data they can’t get via Apple Pay and drop Apple Pay support all together in favor of their own proprietary payment apps (our exclusive card comes with our exclusive app). But there’s an aspect of the ‘open’ argument that will not be discussed by EU regulators, the banks and credit card companies.

I’ve been watching ‘My Cousin Vinny’ a lot recently. I love the courtroom scenes with Joe Pesci’s Vinny character turning the prosecution arguments upside down. There’s a key scene early on when Vinny uses a pack of cards to convince Ralph Macchio’s character to give Vinny a chance to defend him: ‘the prosecutors are gonna show you bricks with solid straight sides and corners, but they’re going to show them in a very special way’ so that judge and jury see bricks instead of playing cards, which is what ‘open NFC’ arguments are: paper card illusions.

NFC is just hardware, it’s worthless without the software protocols that drive it. NFC also has different definitions. The bank industry defines NFC as NFC A-B ISO/IEC 14443. The NFC Forum defines NFC as NFC A-B-F for device certification. On the protocol side the bank industry defines NFC as EMV because this is their industry standard created and managed by EMVCo (Europay-Mastercard-VISA initially, now collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa).

Are EU regulators going to argue that ‘open NFC’ is defined as NFC A-B-F on the hardware side and EMV, MIFARE, FeliCa protocols on the software side? Of course not. They will narrowly define their Vinny brick as NFC A-B and EMV, and maybe Calypso as the transit protocol is used in France for transit. Why would they do that?

It’s very simple. European banking interests don’t want to pay transaction fees to Apple, the Apple Pay tax. They want to cut out the middle man with their own exclusive apps and harvest user data. They don’t want inconvenient questions such as why there are all those different NFC standards and protocols out there, how this came to be and what really constitutes ‘open’. Why did the ISO/IEC Joint Technical Committee choose Phillips NFC-A and Motorola NFC-B while shutting out Sony NFC-F? Was that part of creating an ‘open’ and level NFC playing field on the global marketplace? Of course not, it was about playing favorites while shutting Sony and Japan out of the game. Now they want to do the same to Apple Pay. I still think Junya Suzuki is right: the EU will never demand the same thing of Samsung Pay or Huawei Pay that they are demanding from Apple.

Sawada Sho tweeted a thoughtful question recently regarding the App Store in-app payment controversy. He pointed out that gaming and other platforms charge developers great deal of money for hardware and software access, nobody questions that. Apple offers a lot of access for a very low price, is it fair to demand free passage on the App Store because it is Apple? Sho san thinks the Apple transaction cut is a fair tradeoff. Some tech writers have occasionally asked the same basic question: what’s fair?

EMV, MIFARE and FeliCa all have licensing and certification fees that all customers (developers) pay. Apple has gone to a lot of expense licensing those technologies in addition to licensing a GlobalPlatfrom Secure Element that they build into their own Apple Silicon. Those costs are recouped by Apple Pay transaction fees and fund future developments like digital keys with UWB, ID and other Wallet goodies we’ll get later on in the iOS 15 cycle. I’ve said it before and say it again: Apple took the time and expense to build a first class restaurant and outsiders are demanding the right to use Apple’s kitchen to cook their own food to serve their own customers in Apple’s restaurant.

I guess EU regulators want to give those away free to EU banking interests and let them have their way in the interest of ‘open standards’ that they define and end up protecting the home turf. That sounds like a good deal to me.

Isn’t Oyster card supposed to be dead?

The BBC asks the question, yet again: “London’s Oyster card: Are its days numbered?” It’s no secret that Transport for London has been trying to get rid of Oyster ever since 2011 when TfL, eyes firmly locked on the London Olympics, decided to put their resources into the emerging EMV contactless standard:

The current Oyster system, though very popular, is expensive and complex to administer. Contactless bank cards use existing technology, responsibility for issuing cards would lie with the banks rather than TfL, and the operating costs should be lower.

In 2017 there was a push to nudge people away from their Oyster cards and towards contactless. One announcement rang out all over London’s tube stations: Why not use your contactless bank card today? Never top up again, and it’s the same fare as Oyster.

How Long Does The Oyster Card Have Left? Londonist (2018)

Contactless cards use, plastic and digital, surpassed Oyster card use in mid 2018, but this doesn’t mean TfL is killing Oyster. Not everybody has a smartphone or bank payment card, or wants to use them for transit and public transit, by it’s very definition, has to offer everybody the means to buy a ticket with cash at a station kiosk.

Another problem is that the EMV digital transit closed loop model isn’t a cure all solution, just one more piece of a complicated service puzzle. And so TfL’s Mike Tuckett states the obvious: “I can’t imagine a situation where everyone either will have a bank account and card suitable to pay and wants to…it’s about letting people naturally migrate towards it.” A new Oyster system is said to be coming on line later with year with weekly caps that match EMV contactless card caps.

The second, less obvious reason for keeping Oyster cards around is ‘the float‘, there’s more than half billion pounds sitting on unused Oyster cards (I’ll bet you there is more than that) which TfL earns interest on, then use to “improve the transport network“. In this sense it’s a shame that TfL didn’t go with the MIFARE stored fare model for digital wallets instead of going all in with EMV. They could be earning more interest on their float to build a transit platform business instead of giving it away to banks, but that opportunity passed in 2011.

If TfL really launches a digital EMV closed loop Oyster card similar to the digital Opal one being tested in Sydney, no guarantee that will happen, the debate might subside a little. At any rate the ‘kill Oyster it’s dead already’ debate will continue, along with stories reaching the same conclusion of the BBC piece. It’s less debate than it is entertainment, the real debate being: will public transit use ever recover to pre-COVID levels.

iOS 15 Apple Pay Wallet preview: the Express Mode difference

Express Transit Suica ruins the Apple Pay experience for using anything else. You want Apple Pay to work that way everywhere but it doesn’t. Most of the time we trudge along using Apple Pay Wallet with face mask Face ID authorization, although the Apple Pay experience on Apple Watch is a big improvement as well as being a trusted device for secure intent.

iPhone users in America are finally getting a taste of Express Transit en masse with the 2020 rollouts of Apple Pay for SmarTrip, TAP, Ventra and Clipper. Apple recently rebranded Express Transit as Express Mode on their new Wallet webpage (in Japanese it’s called Express Card). The branding change may seem trivial but it has bigger implications for first time users of new Wallet services in iOS 15, Express Mode goes places that Express Transit cannot: digital keys and digital ID.

These functions are not new of course, Express Transit cards and Student ID cards have been opening transit gates and doors these past few years. But Express Mode is for everyone and personal: your keys and badge to unlock your home door, unlock and start your car and get you into the office. With these refinements and additions it’s safe to say that iOS 15 Wallet finally delivers the digital wallet dream people have been talking about since 2010. Wallet can replace your wallet.

What’s new
Last year I covered ‘coming soon’ Ultra Wideband Touchless and Code Payment (codeword Aquaman) Wallet developments. The Code Payments feature is still waiting in the wings. Steve Moser kindly confirmed that Aquaman code references are alive and well in iOS 15 with minor changes but this post will focus on announced features. In the WWDC21 Keynote Apple Pay section Jennifer Bailey announced keys and ID. The Wallet features you get from the ones listed on the iOS 15 preview page depend on the device:

Car keys with Ultra Wideband support (shareable)
iPhones and Apple Watches equipped with U1 chip* (iPhone 11 and later, Apple Watch 6)

Car keys without Ultra Wideband support (sharable)
Home keys (shareable)

iPhone XS • Apple Watch 5 and later*

Office key
Hotel key

Device requirements may vary by hotel and workplace.”

ID in Wallet
iOS 15 devices
watchOS 8 devices (the fine print: Not all features are available on all devices)

None of the new features will be available when iOS 15 launches. Expect them with the iOS 15.1 update or later. NFC Car keys launched on iOS 13 and iOS 14 in 2020.

The A12 Bionic • iPhone XS and later requirement for Wallet keys is easy to understand: Express Cards with power reserve. A12 Bionic (and later) powered NFC bypasses the iOS overhead with a direct connection to the secure element. It is vital that people can unlock car and home doors even when their iPhone battery is out of juice. Up to 5 hours of power reserve makes a huge difference, but only for iPhone. *Apple Watch supports Express Mode but not power reserve.

The bigger story is UWB because it is new technology that works with the Secure Element to create a whole new experience. Up to now the Secure Element was exclusively NFC. Not anymore, the Car Connection Consortium (CCC) Digital Key 3.0 specification “maintains support for NFC technology as a mandatory back-up solution.” Digital car key is first and foremost a UWB solution with NFC relegated to the back seat.

UWB connectivity adds hands-free, location-aware keyless access and location-aware features for an improved user-friendly experience…

3.0 addresses security and usability by authenticating the Digital Key between a vehicle and the mobile device over Bluetooth Low Energy and then establishing a secure ranging session with UWB, which allows the vehicle to perform secure and accurate distance measurement to localize the mobile device.

Car Connectivity Consortium Delivers Digital Key Release 3.0 Specification

NTT Docomo and Sony demonstrated UWB car keys in action last January running on Android Osaifu Keitai hardware. Sony (FeliCa) and NXP (MIFARE and UWB chipsets) have worked closely to extend both FeliCa and MIFARE into the UWB Touchless era. The CCC Digital Key specification is open to any Secure Element provider. UWB + Bluetooth Low Energy (BLE) is simply another radio communication layer in addition to NFC.

Diagram from Car Connectivity Consortium (CCR) Digital Key 2.0 White Paper, the recently released 3.0 spec adds UWB
Mobile FeliCa UWB Touchless diagram from NTT Docomo, NXP MIFARE works exactly the same way

This is significant as it opens up UWB to anything that currently uses the Secure Element and NFC. Apple has not spelled it out but suggest UWB might work with Home keys and there is no reason UWB cannot work with all keys, transit cards and Student ID. The WWDC2021 session video Explore UWB-based car keys is a great introduction and highly recommended viewing if you have any interest in the subject. The session is a bit unusual in that the discussion covers RF hardware and performance design more than software. It feels like the target audience is car manufacturers. There is a lot of detail to get lost in but here are some simple but essential points:

Secure Element improvements: the SE has always used unique keys for mutual authentication, this has been extended with ranging key deviation

Secure communication at a distance: UWB and BLE identifier randomization with secure ranging is an important security feature as UWB Touchless works over much greater distances than NFC reader tapping

Zones: the precise motion and positioning tracking of a paired UWB device with a unique key allows for ‘passive entry’ action zones, walking towards the car unlocks it, walking away locks it, etc. without any other user interaction

RF transceiver and antenna system design: is a deep and difficult art that echos the Suica creation story

JR East (Suica) and Hong Kong MTR (Octopus) have both said they are developing transit gates that incorporate UWB. This makes sense as Mobile FeliCa is now UWB savvy but after watching the WWDC21 session video I can only marvel at the complexity of the big picture because UWB is about mapping and using space and movement to perform an operation.

The engineers face countless problems and challenges to juggle in their quest to build a transit gate that delivers the same FeliCa NFC speed and reliability with UWB…at rush hour. They have to consider radiation patters, system latency and processing power, localization algorithms and much more. If they achieve their stated goal, 2023 could be a very interesting year for transit.

ID in Wallet
Lots of people are excited about the possibility of adding a digital driver’s license to Wallet but as 9to5 Mac’s Chance Miller wrote, we don’t know much about about it at this point. Actually in Japan we do. The Ministry of Internal Affairs and Communications (MIC) released an English PDF: First Summary Toward the Realization of Electronic Certificates for Smartphones with a diagram that explains their digital ID system architecture. MIC remarked back in November 2020 that they are in discussions with Apple to bring the digital My Number ID card architecture to Wallet. The Android version is due to launch in 2023 and will likely employ the Mobile FeliCa Multiple Secure Element domain feature described by FeliCa Dude (FeliCa using NFC-B instead of NFC-F). A similar basic architecture with different protocols and issue process will undoubtedly be used for adding digital drivers licenses.

The Privacy question
I’ll be very interested to see how ID launches in America this fall. Which outside partner company or companies are providing the service to participating states and running the backend? I suspect it will be something similar to Student ID with Blackboard running the service for participating universities. The biggest security question in my mind is who besides the TSA will use ID in Wallet, and more importantly, how? Some governments and transit agencies are pushing face recognition as a convenience in addition to security. My preference will always be for having my ID on my own Secure Element rather than somebody’s cloud server, an ID that I authorize with my own secure intent.

Wallet UI and usability improvements
Wallet App didn’t get the makeover that some users asked for, but there are are a few small improvements. Up to 16 cards can be added in iOS 15, up from 12 in iOS 14. Archived passes and multiple-pass downloads help make Wallet more useable and remove some housekeeping drudgery.

I finally got two WWDC19 Apple Pay Wallet wishes granted: (1) dynamic Wallet cards and (2) region free transit cards. Apple Card does UI things in Wallet no other card is allowed to do. As far as I know this first changed with Disney’s MagicMobile launch on iPhone, Jennifer Bailey calls them “magical moments when you tap to enter.” There are similar low-key card animations in Home key and ID cards. It’s a very small step but I hope Apple adds more over time than just sprinkling seasoning card animations. Done wisely, dynamic cards could improve Wallet usability that convey important card status and account information.

Wallet card animations are slowly making their way into the picture, but will they ever be more than silly pretty fun?

Region free transit cards means that users no longer have to change the iPhone • Apple Watch region setting to add a transit card. In iOS 15 Wallet you get the full list regardless of the region setting. It’s not perfect but it is less confusing than adding a transit card in iOS 14.

Summary
The overall reaction to iOS 15 has been somewhat muted but there are lots of new details. Apple Pay Wallet additions for home keys, office key, hotel key and ID build on technologies that have been on the Apple Pay platform for some time but Apple is leveraging them in new ways.

The unveiling of UWB Touchless is important and cutting edge, that might revolutionize secure transactions. The next step not only for car keys but for transit and other services that up to now have been limited to NFC. And this time, unlike NFC, Apple is leading the way for UWB.

The bottom line is that UWB opens up a lot of possibilities for many current NFC based solutions. Expect UWB Touchless support for Wallet cards in the near future that use Express Mode in new ways, and new UWB based features for a much smarter Wallet.


UWB Gallery
Screenshots from the Explore UWB-based car keys session video

Zones
Zones are is one of the exciting aspects of UWB Touchless, where functions are triggered by the simple act of walking towards or away from the car. It will be interesting to see how this is applied to UWB Touchless transit gates.

Space and movement: the UWB process

Last but not least, Power Reserve mode now supports Find My Network