Apple Platform Security May 2022: Tap to Pay on iPhone, Express Mode scare mongers and other fun

Ahh springtime, flowers and the annual Apple Platform Security (APS) update. This year’s version has many Apple Pay housekeeping changes. Previous versions put everything Apple Pay in a single section. In keeping with Apple spinning out iOS 15 Wallet app as a separate identity, Wallet has its own separate section now, covering all the things Jennifer Bailey unveiled at WWDC21: hotel-home-office keys and ID in Wallet. The Apple Pay section adds a new category for Tap to Pay on iPhone with some interesting bits.

The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with to the Contactless Payments on COTS (CPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC) and are PCI DSS compliant.

The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was within 60 seconds of the card read on the device.

What’s interesting to me is that Tap to Pay on iPhone servers are providing a seamless payment reader experience in the same way that Apple Pay servers provide a seamless pay experience. It just works, from setup to use, the same tight integration allows payment service providers to focus on POS app development and forget about the hardware because Apple Pay takes care of everything. As Junya Suzuki tweeted recently, a lot of payment reader hardware is suddenly junk compared to what iPhone is providing with tight mobile integration and Tap to Pay servers on the backend. Now with Tap to Pay apps on the horizon, good thing that iOS 15 Wallet expanded the secure element max to 16 ain’t it?

Speaking of Wallet, this separate section covers all things “access credential” related (hotel-corporate-home-car-student ID) with App Clips suggested for provisioning multifamily home keys. Transit now includes eMoney cards (or is it e-Money, Apple seems confused about it just like Express Mode vs Express Transit) and IDs in Wallet is covered in detail. There is also an intriguing iOS 15.4 Wallet security tweak:

In iOS 15.4 or later, when a user double-clicks the side button on an iPhone with Face ID or double-clicks the Home button on an iPhone with Touch ID, their passes and access key details aren’t displayed until they authenticate to the device. Either Face ID, Touch ID, or passcode authentication is required before pass specific information including hotel booking details are displayed in Apple Wallet.

It sounds almost exactly what we already do with regular Apple Pay cards. Perhaps keys and passes only show a generic icon and checkmark with Express Mode with the double-click + authentication required for show details…it’s not very clear.

Speaking of Express Mode, ‘security experts’ are still scare mongering the masses with the tired old Russian security expert/Apple Pay VISA Express Transit exploit story that made the rounds last November, regurgitated by Forbes in the over the top scary sounding, and sloppily written (this is Forbes after all), “How hackers can drain your bank account with Apple and Samsung tap and pay apps“.

The whole security expert thing reminds me of what my uncle the doctor (who ran a medical research lab at Columbia University) used to say about his disdain for pharmaceutical companies, “They don’t want to cure you, they just want to keep ‘treating’ you with their medicines.” Human nature never changes. The gist is that EMV Express Transit Mode will always be a thorn in Apple Pay’s side because the security is up to the card companies.

The document is worth your time is you have any interest in Apple Pay and Wallet.

The mobile wallet chokepoint

I ran across an untidy but interesting Twitter thread that mentioned Apple Pay Suica in the larger context of evolving NFC smartphone services.

Suica (Metro card / digital money in Japan) now lets you transfer the card to Apple Pay. Some thoughts about the future of FOBs, cards, and wallets…You use NFC to transfer your Suica by tapping the card with your iPhone, the same way you’d tap to use Apple Pay.

Devices support some kinds of NFC but not others. Until now, you couldn’t tap to use credit cards — it was blocked by the device.

But this is changing! Apple will support card payments now, in an app that IT will make & provide to vendors. This lets Apple compete in new hardware markets: first phones, now point-of-sale, payments, inventory mgmt, etc.

Physical cards are on the way out. But not everyone is on-board. FOBs, subway cards, ID cards, drivers licenses, and building security cards have been slow adopters of mobile. I’d love to copy my building FOB to my phone 😁 There’s nothing stopping me other than that I can’t.

Apple is moving into those markets….Airports, Driver licenses (in 30 / 50 US states). How far this tech goes & the speed of adoption depends on iOS, Android, and the people at ID / security / FOB / card companies adopting the change. They may need help! And there may be startup potential in that space… if anybody is interested!

Twitter thread

The intention was discussing the implications of Apple’s recent Tap to Pay on iPhone announcement, but it stumbled over a rarely discussed but vital point about the extremely slow migration of various physical card services to mobile devices. Why can’t we just load these in Wallet…all the technology is in place right?

The mobile chokepoint is not technology but the backend systems to seamlessly deliver, verify and securely manage individual ‘card’ services (payment cards, transit cards, ID cards, keys, etc.) in digital wallets. Those systems are not up to the job. You can be sure that Apple wants to get iOS 15 ID in Wallet driver licenses out quickly as possible but corralling all those state run systems into a coherent user friendly whole that holds up to the high expectations and massive base of iPhone users eagerly waiting to use it, is a very big challenge. It’s a similar challenge behind every kind of digital wallet service.

This backend weakness is easy to see with transit cards, there are relatively few on mobile with most of the cards exclusive or limited to certain digital wallets like Apple Pay and Samsung Pay. There are special challenges too as a mobile transit card service hosts all the functions of ye olde station kiosk card machine (card issue, adding money, pass renewal, etc.) and more, on the cloud, pushing it out to apps and connecting to digital wallet platforms like Apple Pay.

Despite the challenges, the rewards for going mobile are clear. If there is one lesson Apple Pay proved in Japan with Suica it is that building a mobile foundation early on is key to future success. Mobile laggards like Hong Kong Octopus have paid a heavy price. Unfortunately for regions where transit is operated as a public service instead of a sustainable business, spending money building transit card mobile service systems is often considered an extravagance.

This is why open loop is popular as means to get out of the plastic smartcard issue business and get mobile transit service for free using EMV contactless VISA-mastercard-AMEX payment networks. Like many things in life, free is never free.

Banks have had an easier path to mobile thanks to the strength of EMV payment networks, but only on the payment transaction end. Mobile card issue is another matter up to individual banks. Look at the Apple Pay participating bank list for the United States. The long list didn’t happen overnight. It has taken years for mobile backend systems to be put in place to make this happen.

It’s all about the backend
A sadly overlooked aspect of the Japanese market is the crazy collection of contactless payment options: Suica, iD, QUICPay, WAON, nanaco, Edy, PayPay, LinePay, dBarai, VISA-mastercard-AMEX Touch payments and more. The reason for this is Japan’s early lead in creating the first mobile payment platform, Osaifu Keitai, in 2004.

Not everybody used Osaifu Keitai early on, but it grew the mobile payments foundation so the market was ready for new mobile payment platforms when Apple Pay launched in 2016. More importantly, the early lead also meant that bank card issuers, payment networks and transit companies had backend systems firmly in place servicing a large installed base of various digital wallet capable handsets (Symbian) and smartphones (Android) that quickly extended to Apple Pay and Google Pay.

The backend flexibility is easy to see on the Mobile Suica page that shows all the different Mobile Suica flavors: Android (Osaifu Keitai), Apple Pay, Google Pay, Rakuten Pay. Mobile Suica is also on Garmin Pay, Fitbit Pay and is coming to Wear OS.

Mobile issue and verification
Adding a ‘card’ to a mobile wallet is sometimes called ‘onboarding’, but this is really a banking term: “digital onboarding is an online process to bring in new customers,” as in setting up a payment account and getting an instant issue debit or prepaid card to use in Wallet with an app, or using the app for QR Code payments (like PayPay or Toyota Wallet).

Success or failure for any mobile wallet card service depends on reliability, simplicity and the speed for adding cards and using them. From VISA:

When it comes to digital onboarding, the average amount of time after which customers abandon their application is 14 minutes and 20 seconds. Any longer than this, and 55 percent of customers leave the process.

How to boost your customer’s onboarding experience

There is also context. Futzing for 14 minutes might apply for people setting up a bank app, but a transit app user trying to get through a ticket gate at rush hour is a completely different matter. Judging from the large number of negative Suica App user reviews and complaints on twitter, Japanese transit users probably give it 2 minutes before giving up and calling it all crap. Speed is the key.

How long does it take?
The speed of adding a card to Wallet depends on a number of factors, what kind of wallet service are we dealing with (car key, hotel key, home key, office key, payment, transit, ID), does the user need an account first, can a physical card be transferred, what kind of user verification is required.

User verification with digital credentials is still in its infancy which is why driver’s licenses and state IDs in Apple Wallet is fascinating and important. How does one authenticate their own ID card? Apple explains the process but doesn’t say how long verification takes or reveal backend details:

Similar to how customers add new credit cards and transit passes to Wallet today, they can simply tap the + button at the top of the screen in Wallet on their iPhone to begin adding their license or ID… The customer will then be asked to use their iPhone to scan their physical driver’s license or state ID card and take a selfie, which will be securely provided to the issuing state for verification. As an additional security step, users will also be prompted to complete a series of facial and head movements during the setup process. Once verified by the issuing state, the customer’s ID or driver’s license will be added to Wallet.

The verification process is similar to the recent addition of Mobile Suica student commuter pass purchases where students take a picture of their student ID and upload it. Online verification takes ‘up to 2 business days’ because Mobile Suica has to manually verify the ID information with the school. Hopefully the Face ID setup-like ‘additional security step’ is the magic iPhone ingredient for instant verification by the state issuer. However notice that Apple doesn’t spell out where the face and head movements are stored. Hopefully it will stay in the Secure Enclave and never be stored on a server. We shall see when ID in Wallet launches with the iOS 15.4 update.

As you can see from the table below, the journey from backend system to Wallet varies widely by the type of service. The easier additions are the ones done in Wallet app: card scans for payment cards and ID or simply tapping to add transit cards.

Physical card scans are the primary way to add payment cards but this is changing, apps will replace plastic card scans over time. In Japan there are a growing number of ‘instant issue’ credit/debit digital cards from top tier banks that can only be added to Wallet with an app and account. Digital onboarding is the direction banks are going, where everybody has to go to an app first to add a card to Wallet. This leaves transit cards as the only card that can be added without an app or account.

Who owns the thing in Wallet?
Physical keys, fobs and plastic cards may seem inconvenient at times but they are personal property we carry on our person. One downside of digital wallets is that convenience carries a risk that the thing in Wallet isn’t necessarily ours. What is added with a simple tap can also be taken away by a technical glitch, or in a worst case scenario, without our consent. As backend systems improve and integrate, more services will migrate to our digital wallets. Without doubt much of this will be convenient but read the fine print and always keep your eyes open to the tradeoffs and risks. In other words don’t let your digital wallet be a potential chokepoint of your life.

The digital wallet endgame should never be like this

Why the fuss about an iPhone NFC payment terminal?

I have to admit I’m a little confused about the brouhaha over the latest Mark Gurman rumor: “Apple is planning a new service that will let businesses accept payments directly on their iPhones without any extra hardware.”

Okay, so what are we talking here? Oh, Apple is adding new Core NFC functions that let any 3rd party app be a POS software backend!

I doubt it.

Maybe PassKit NFC Certificates are going away! Look EU, look Australia…our NFC is open open for business! Anybody can use iPhone now as payment terminal! Anybody with an iPhone can skim payments cards in the wild!

Are you kidding?

You see there is this little thing called EMV c-e-r-t-i-f-i-c-a-t-i-o-n for all payment terminal hardware and separate certification for VISA, Mastercard, etc. Do people really think Apple is going to give those away for free along with a bundled POS app for payment transactions? Think again.

Look, there are a ton of certified cheap Android based NFC-QR-whatchamacallit all-in-one reader devices out there that suck. They’re only as good as network connection, the OS and the POS app + payment transaction backend. Apple isn’t going to compete with that.

I don’t know about anybody else but I’m way more interested in how Apple would pull off the business software end of this rumor because the hardware end is already a given. And it would never see the light of day in FeliCa land Japan, that’s for sure. Success in America is not guaranteed either. Just ask the App Clips team.

2022 Japan mobile payments survey results: Mobile Suica tops the bunch

The Japanese contactless payments landscape has changed considerably since the 2016 launch of Apple Pay. It certainly was the Black Ship arrival turning point that Junya Suzuki predicted, contactless payments, especially mobile contactless payments, continue to evolve in fascinating ways.

The latest Mobile Marketing Data Labo (MMD) mobile payments survey ranking for NFC payments had an interesting twist: Mobile Suica was the top NFC payment choice at 22% beating out NTT docomo iD at 21%.

That doesn’t sound like much but this survey is asking specifically about store purchases made with a mobile device, not transit use. Mobile Suica beat iD despite a number of heavy marketed iD related dPoint rebates and bonus point campaigns. What’s even more interesting is that users said they are really interesting using Rakuten Edy, with Mobile Suica running a close 2nd place, and iD way down in 6th place. Why? 2 reasons I think, the convenience of Express Mode for purchasing things on the run keeping face mask in place, and points. Don’t underestimate the last one.

Tossing the local teiki for Mobile Suica
The survey got some notice in the Japanese tech media but nobody analyzed the surprising strength of Mobile Suica despite the ongoing COVID impact on Suica transit use, perhaps it didn’t make sense to them. Mobile Suica topping the ranking doesn’t make sense by itself as suddenly gaining users in the traditional greater Tokyo Suica transit use region…but it does make sense when you add people who don’t need a local region teiki/commuter card for work because of COVID and have switched to Mobile Suica for their occasional transit needs, also using it for purchases. Instead of a plastic ICOCA, Sugoca, manaca, TOICA, etc, those users use Mobile Suica. Not everybody is switching of course, but it does put Mobile Suica use on a larger national footing than ever before, and that adds up. This, I believe, is what the MMD survey ranking is showing.

And there is JRE POINT. JRE POINT only got started when Apple Pay Japan did in 2016, but it didn’t become a serious thing until Suica Point Club was merged into JRE POINT in 2017. It has steadily grown from there and the last missing puzzle piece was added when Eki-Net Point was finally merged into JRE POINT in June 2021. JRE POINT has finally achieved synergy gluing together the far flung JR East online service pieces (Mobile Suica, JRE POINT, Eki-Net) and JR East will be aggressively marketing point campaigns and eTicket discounts that encourage users to go all in with mobile.

The survey also shows at something else: dPoint isn’t very compelling despite all the campaign rebate noise. I’ve heard from iD•dBarai (dPay Code Payments) users, ‘dPoint doesn’t travel well’, the NTT docomo dPoint economic zone lock-in isn’t very compelling from the inside. This is confirmed by MMD’s code payment app satisfaction survey that ranks dBarai at 4th place, far below Rakuten Pay at #1 and PayPay at #2. From my own experience I use dPoint when upgrading to a new iPhone and nothing else. The SoftBank economic zone (Z Holdings et all) was clever in that they made ubiquitous availability and cash rebates, instead of points, the service lock-in.

And then there is Rakuten POINT economic zone. The survey interest ranking is measuring Rakuten POINT interest not Rakuten Edy. The ability to earn and use Rakuten POINT across online shopping, stock trading, travel reservations and more is big. The gist of it all is that Japanese users care more about points than the contactless payment type. Long term I think the most successful payment economic zone players will follow the Toyota Wallet model, a wallet app offering flexible multiple payment options (QR, NFC, etc.). Apple and Rakuten need to hurry up with Apple Pay Edy, the very last eMoney holdout.

UPDATE
Forgot to include the corporate travel angle driving Mobile Suica use.

The contactless payment ramen shop connection

Have you ever noticed that ramen shops in Japan kinda stick together? If there is one, there is another one close by, maybe two or three. And not just ramen shops, it can be Japanese sweets, eateries, anything. This might seem strange at first but there is a well known traditional Japanese business sense behind it. Two is better than one because more choices drives more foot traffic and interest. ‘Hey lets go to the local ramen shop district and get something to eat.’ The common interest is why store rivals tolerate each other because the increased customer interest and traffic drives business for everybody. All boats rise together.

I was reminded of this when a Japanese friend scolded me for constantly putting down code payments like PayPay when the speed and ease of Suica is so superior. “Why is it westerners always see things as black and white? Lots of choices drives interest right?” He was right of course. Coming from a western mindset it’s too easy to fall into the same old double standard of saying more choice is better on one hand, while on the other insisting that we should only use one thing. The old one size fits all, my choices are the best for everyone.

I also think there’s another, much larger and unacknowledged cultural difference regarding the concept of service: the Japanese mind tends to think of good service as being offered many options, while the western mind tends to think of good service as fulfilling one’s personal needs and wants of the moment. It may seem like a small difference but it’s a completely different way of seeing things. It’s also a good reminder that what’s convenient to our person is not necessarily convenient to other people.

One size doesn’t fit all. What’s the point of having all that different hardware when everybody’s forced to use the same software? Lots of choices for lots of people works better in the end…it drives interest in mobile payments when there are still a lot of people in Japan who have yes to use anything but plastic or cash. Variety invites and lifts all boats.

Pick one