OMNY card completes the EMV only OMNY system

After a long gestation, and a COVID related delay, the good old swipe MetroCard replacement has finally shipped. OMNY card: a ‘truth in the cloud’ EMV bank payment card, not a MIFARE or FeliCa ‘truth in the card ‘ smartcard like London Oyster or Tokyo Suica. As OMNY is a new system and MetroCard missed the transit smartcard revolution of the early 2000’s, MTA and ticketing system management company Cubic Transportation Systems decided to go all in with open loop, i.e. using ‘open payment‘ EMV contactless credit/debit cards for transit fare instead of dedicated transit cards. It’s a ‘one size fits all’ approach where bank payments cards are promoted for every kind of purchase.

The OMNY rollout has not been an easy transition for MetroCard users. One problem with the ‘one size fits all’ open loop approach is that different people have different needs: minors, seniors, disabled, daily commuters with set routes, people without bankcards and so on. Open loop cannot handle these well, if it did TfL would have killed Oyster card long ago. Hence OMNY card that appears to be an EMV branded card with CVV security number, possibly issued by a Mastercard issuer, similar to the closed loop Ventra digital card. Unlike Ventra card however, OMNY card is plastic only. It won’t be coming to Apple Pay. That’s the price of OMNY being the first transit ticketing system built completely on EMV. Why so?

As most of the open loop systems in North America, UK and Australia are designed and managed by Cubic it’s helpful to compare their ticketing system profiles.

Oyster: Open loop with Express Transit
Closed loop plastic MIFARE transit card, open loop EMV cards (plastic and digital wallet express transit).

VENTRA: Open loop without Express Transit
Closed loop plastic MIFARE card + EMV digital Ventra (Mastercard), EMV bank payment (plastic and digital wallet w/o express transit)

Opal: Open loop without Express Transit
Closed loop plastic MIFARE cards + EMV digital Opal (Mastercard), open loop EMV bank payment (plastic and digital wallet w/o express transit)

OMNY: Open loop with Express Transit
Closed loop is plastic EMV OMNY card, open loop is EMV bank payment (plastic and digital wallet with express transit)

When you carefully analyze the different systems and Express Transit use one condition becomes clear: transit systems cannot support EMV Express Transit configurations where both closed loop EMV transit cards and open loop EMV bank payment cards are on the same system. It’s a choice between supporting one or the other, not both. I suspect Cubic does this because of EMV limitations and to avoid digital wallet card clash, but to transit users the service inconsistency is simply confusing.

As with the OMNY part 1 open loop rollout, expect the part 2 OMNY card rollout to have teething problems. Judging by the low key launch announcement and social media reactions, I think it will be a slow transition. Also don’t expect the OMNY card on digital situation to change as EMVCo members seem reluctant to change or improve their department store payment technology for better transit use and service.

The EMV Express Transit Security Trade-off

The Practical EMV Relay Protection paper authored by Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu and Liqun Chen, outlines a potential weakness with VISA cards when used with Apple Pay Express Transit. The BBC reported the issue which was then widely reported on Apple news sites. The authors and the BBC both frame the security issue as known by Apple, who say it’s a VISA system problem, and VISA who say the hack is only a lab project, not a real world problem. Ionut Ilascu on BleepingComputer had a concise summary:

The tests were successful only with iPhone and Visa cards. With Mastercard, a check is performed to make sure that a locked iPhone accepts transactions only from card readers with a transit merchant code.

Trying the method with Samsung Pay, the researchers found that transactions are always possible with locked Samsung devices. However, the value is always zero and transport providers charge for tickets based on data associated with these transactions.

The findings of this research have been sent to both Apple and Visa in October 2020 and May 2021, respectively, but neither fixed the problem.

Apple Pay with VISA lets hackers force payments on locked iPhones, BleepingComputer

Apple Pay uses a GlobalPlatform licensed secure element while Samsung Pay Knox technology uses a Trusted Execution Environment (TEE), it’s a flimsy apple vs orange comparison. A meaningful comparison should have compared iPhone with another secure element device, like Pixel using VISA. Because of the limited scope, it feels like an attention grabbing ploy as it involves iPhone, rather than meaningful security research.

The security paper authors concluded: “While either Visa or Apple implement a fix for the problem, we recommend users to not use Visa as a transport card in Apple Pay. If your iPhone is lost or stolen, activate the Lost Mode on your iPhone, and call your bank to block your card.” In other words, turn off the Express Transit Card option for VISA cards.

It is not Apple’s problem to fix but Apple set themselves up for this.

Steve Jobs said it best: designing anything is about choices and trade-offs. The Apple Pay that launched in 2014 was designed for credit cards with bio-authentication to authorize payment transactions. This changed in 2016 with the arrival of Suica, the first transit card on Apple Pay, and Express Transit. Express Transit and Express Mode emulate the way that transit cards and student ID are designed to work. The FeliCa and MIFARE protocols used for these cards are very secure and have a long history of safe prepaid smartcard use.

For a time, the Apple Pay security protocol design was clearly defined: EMV bank payment cards required bio-authorization for transactions while transit cards, ID cards and digital keys worked in Express mode without it.

All was good until iOS 12.3 and the arrival of EMV Express Transit that changed the rules so that credit cards could act like express mode transit cards too. No more Touch ID or Face ID authentication for using Apple Pay bank cards on Transport for London (TfL) and New York OMNY transit gates. It sounded like a good idea but Apple decided to promote these services by making EMV Express Transit ‘on by default’ when adding a credit/debit card to Wallet.

As any careful watcher of the OMNY rollout will tell you, there have been plenty of Express Transit problems, especially for MetroCard users. Most of whom have no idea Express Transit was a default on option. Express Transit issues continue to crop up as they did for Apple Card users recently with problems on the Mastercard network and Goldman Sachs side. Open loop transit comes with more downsides than promoters like to admit.

It boils down to this. When Apple activated EMV Express Transit and make it a default on, presumably to promote all kinds of Apple Pay cards for transit…cards that were never designed for it, it made Apple Pay susceptible to any and all bank card network security issues and glitches. Instead of Apple service quality or secure dedicated transit cards, the user ends up with bank and card company service level quality at the transit gate. In other words, EMV Express Transit quality is up to banks, not Apple nor the transit agency. It’s their card, they call the shots. That’s the trade-off that won’t go away.

Isn’t Oyster card supposed to be dead?

The BBC asks the question, yet again: “London’s Oyster card: Are its days numbered?” It’s no secret that Transport for London has been trying to get rid of Oyster ever since 2011 when TfL, eyes firmly locked on the London Olympics, decided to put their resources into the emerging EMV contactless standard:

The current Oyster system, though very popular, is expensive and complex to administer. Contactless bank cards use existing technology, responsibility for issuing cards would lie with the banks rather than TfL, and the operating costs should be lower.

In 2017 there was a push to nudge people away from their Oyster cards and towards contactless. One announcement rang out all over London’s tube stations: Why not use your contactless bank card today? Never top up again, and it’s the same fare as Oyster.

How Long Does The Oyster Card Have Left? Londonist (2018)

Contactless cards use, plastic and digital, surpassed Oyster card use in mid 2018, but this doesn’t mean TfL is killing Oyster. Not everybody has a smartphone or bank payment card, or wants to use them for transit and public transit, by it’s very definition, has to offer everybody the means to buy a ticket with cash at a station kiosk.

Another problem is that the EMV digital transit closed loop model isn’t a cure all solution, just one more piece of a complicated service puzzle. And so TfL’s Mike Tuckett states the obvious: “I can’t imagine a situation where everyone either will have a bank account and card suitable to pay and wants to…it’s about letting people naturally migrate towards it.” A new Oyster system is said to be coming on line later with year with weekly caps that match EMV contactless card caps.

The second, less obvious reason for keeping Oyster cards around is ‘the float‘, there’s more than half billion pounds sitting on unused Oyster cards (I’ll bet you there is more than that) which TfL earns interest on, then use to “improve the transport network“. In this sense it’s a shame that TfL didn’t go with the MIFARE stored fare model for digital wallets instead of going all in with EMV. They could be earning more interest on their float to build a transit platform business instead of giving it away to banks, but that opportunity passed in 2011.

If TfL really launches a digital EMV closed loop Oyster card similar to the digital Opal one being tested in Sydney, no guarantee that will happen, the debate might subside a little. At any rate the ‘kill Oyster it’s dead already’ debate will continue, along with stories reaching the same conclusion of the BBC piece. It’s less debate than it is entertainment, the real debate being: will public transit use ever recover to pre-COVID levels.

Secrets of iOS 15 Apple Wallet

iOS 15 Wallet is deceptive. The first impression out of the box is that nothing has changed much. It looks the same, it works the same. It doesn’t help that many of the new features won’t come until later in the iOS 15 life cycle and will be limited to certain users and regions. ID in Wallet for example is only due to launch in eight American states ‘late 2021’. Wallet keys for home only work on A12 Bionic iPhone XS and later while office and hotel key “device requirements may vary by hotel and workplace.” In Japan the iOS 15 Wallet feature section is missing altogether. The fine print reads like Apple is giving itself the biggest set of loophole opt outs ever, as if to say, ‘sorry, better luck later on.’

This is because Wallet key and ID cards are exactly like the Apple Pay launch in 2014 when the contactless payment infrastructure in America at the time was way behind Europe and Japan. The contactless transition has been bumpy, uneven and continues to plod along while stores have been slow getting their act together. Early Apple Pay adopters grew accustomed to hearing that classic gag line at checkout when things didn’t work right: “you’re holding it wrong.”

Wallet keys and ID will see a gradual measured uptake just like Apple Pay payment and transit cards. But unlike payment cards and transit cards, the reader infrastructure side of the equation for digital keys and ID cards is only just beginning. For some people it may be years before they have the opportunity to use digital key with their car, home or apartment. The initial use for Wallet ID, TSA security checks for domestic US air travel, represents only a small subset of a much wider future potential. How long will it be before state government services are fully equipped to read their own digital issue ID? And what about in-app ID checks, there’s huge but undeveloped potential there too.

Apple is leading the digital wallet transition for keys and ID as they did for payments when Apple Pay launched in 2014. Sure, there are others already doing it on a limited scale and Apple may be late to the party, but because Apple takes the time to make complex things easy to use and get it right, eventually it’s everywhere. Even without keys and ID, iOS 15 Wallet offers some deeply useful UI improvements that will remove a lot of frustration for all Wallet users. Let’s take a look.


New Add to Wallet UI
The new Add to Wallet screen with card categories is the gateway to new iOS Wallet features, it also solves long standing UI problems that confused users for adding transit cards. The main categories:

  • Debit or Credit Card
    Add debit/credit, the same process we’ve had all along.
  • Transit Card
    The add Transit Card category is new and lists all available transit cards that support direct Wallet card add and Apple Pay recharge. Transit cards that can only be added and recharged via an app such as Portland HOP and Chicago Ventra are not included. Some transit cards on the list are somewhat deceptive. Hong Kong Octopus and China T-Union cards cannot be added without certain locally issued credit/debit cards but you only get the warning message at the very end of the addition process that aborts it. The only transit cards that anybody from anywhere can add to Wallet are: Suica, PASMO, SmarTrip, Clipper and TAP.
  • Previous Cards
    Previous Cards is a new category that appears only when needed. It shows cards, keys and passes that are attached to the user Apple ID but are not currently in Wallet.

The region-free Wallet
These seemly mundane UI tweaks are much bigger than they look. Before iOS 15, Wallet did not make a clear distinction between first time card issue (adding a card) and re-adding previous cards that were already attached to the user’s Apple ID. Adding cards to Wallet was also region dependent, that is to say users had to set the iPhone region to match the issuer region to add those cards. This has been a real pain for transit cards: Japan to add Suica, Hong Kong to add Octopus, America to add SmarTrip, Clipper or TAP.

Changing the device region is easy to do, but it’s not intuitive at all and bewildered users. It’s not uncommon for people to think that changing the region messes up the Apple Pay cards they already have making them unusable, or that a certain region setting is required to use a particular card.

Neither is true, but region-dependent Wallet was a big source of confusion that kept people from using great Wallet features and caused support problems, especially for transit card users. Do a Suica search on Apple Support Communities. The number one support issue is: I lost my Suica card, how do I get it back in Wallet?

The new UI fixes this problem by making a clear distinction between removing Wallet cards vs. deleting them. Wallet has a simple rule: removing a card added directly in Wallet does not delete the card. Cards added directly in Wallet (tapping “+”) and keys are a little special as they are hooked into the user’s Apple ID. This is easy to see in Suica App which displays the unique Apple ID/Apple Pay identifier for each Suica card.

The pain point was the inability to see what cards were still attached to their Apple ID sitting on the Apple Pay server when not in Wallet. Most people assume a card not is Wallet is lost forever, the classic ‘I lost my Suica’ problem described above. This happened all the time in pre-iOS 15 Wallet when the user signed out of Apple ID without realizing it or migrated to a new iPhone without doing Wallet housecleaning on the old device. Removed cards were always parked safely in iCloud but there was no easy way to see them. With Previous Cards and region-free Wallet, you always know where to find your Wallet cards.

Knowing exactly where your Wallet cards are, in Wallet or parked on the server, and how to really truly delete them from the cloud, makes using Apple Pay easier. When users understand that Apple Pay has their back, they trust and use it more. Trust is far more important than technology.

From now on the new rules are: removing a card only removes it from Wallet. Only the extra step of removing a credit/debit card from Previous Cards removes it completely from Apple ID. Stored value cards like Suica can only be deleted with the card issuer app.


ID in Wallet

iOS 15 devices
watchOS 8 devices
Launch states: Arizona, Georgia, Iowa, Kentucky, Maryland, Oklahoma, Utah

ID in Wallet is the biggest new iOS 15 Wallet feature, important enough that Apple announced details and launch states before the September Apple Event, which is unusual for a feature due “late 2021.” The press release clearly explains (but does not show) the exact process for adding and using an ID, and the some security details behind it. Carefully crafted screen images clearly illustrate that ID in Wallet does not show detailed personal information, not even a full name, only the ID elements that will be transmitted by NFC to the TSA reader. Like Apple Pay, users do not need to unlock, show, or hand over their device to present their ID, they simply authorize and hold to the reader.

ID Security and Privacy
It looks slick but there are lots of interesting things Apple has not shown yet, like the actual adding process, that will certainly be highlighted at the September Event. Apple is advertising high level security and privacy for ID in Wallet but there are device distinctions security concerned users will want to know about, specifically Secure Intent.

Secure intent, in a very loose sense, is the user action of confirming ‘yes I want this transaction to proceed’ by double pressing a button (Face ID and Apple Watch) or a long press (Touch ID). But there are important differences: by Apple’s official definition, Face ID iPhone and Apple Watch are secure intent devices, Touch ID iPhone is not.

Secure intent provides a way to confirm a user’s intent without any interaction with the operating system or Application Processor. The connection is a physical link—from a physical button to the Secure Enclave…With this link, users can confirm their intent to complete an operation in a way designed such that even software running with root privileges or in the kernel can’t spoof…A double-press on the appropriate button when prompted by the user interface signals confirmation of user intent.

The most secure ID in Wallet secure intent transaction is a double press button authorization action that tells the secure enclave, where your biometrics are stored, to release authentication to the secure element, where your ID credentials are stored, for the transaction magic take place. Apple: “Only after authorizing with Face ID or Touch ID is the requested identity information released from their device, which ensures that just the required information is shared and only the person who added the driver’s license or state ID to the device can present it.” There is no Express Mode for ID card nor would you want there to be.

There is another aspect to consider, one that Apple certainly won’t divulge: who manages and runs the backend centralized mobile ID issue service that plugs into Apple Pay servers. The direct in Wallet ID card add process demonstrates a high level of integration: “Similar to how customers add new credit cards and transit passes to Wallet today, they can simply tap the + button at the top of the screen in Wallet on their iPhone to begin adding their license or ID.”

We can get an idea of what’s involved on the ID backend from the Japanese Ministry of Internal Affairs and Communications (MIC) English PDF document: First Summary Toward the Realization of Electronic Certificates for Smartphones with a diagram of the digital ID system architecture for the Individual Number Card (My Number). MIC are in discussions with Apple to bring the digital My Number ID to Wallet. The Android version is set to launch in 2022.

There has to be a partner service company that sub-contracts mobile ID issue services to participating state governments…somebody that does the heavy lifting of linking various state database servers to provide a centralized card issuing service so that Apple can provide a seamless ID add card experience. But it must be an independent entity that can provide the same set of backend ID issue services to other digital wallet platforms (Google Pay, Samsung Pay, etc.) at some point. Because if it is not an independent entity providing those services, Apple is inviting more claims that Apple Pay is a monopoly. It’s a mystery worth digging into. Nevertheless, Apple is paving the way by integrating ID issue directly in Wallet that eliminates crappy 3rd party apps. It’s a huge effort that hopefully makes digital ID easy, practical and widely used.


Digital Keys and Power Reserve Express Mode
Home, office and hotel keys are the first new iOS 15 Wallet feature on launch day. Where is the Add to Wallet Key Card category? There isn’t one. Keys are slightly different and cannot be added (issued for the first time) to Wallet directly because the mobile key issuing company has to confirm user identity before giving the key. The most common way to add keys for the first time is with an app. From the Apple car key support page:

Open the car manufacturer’s app and follow the instructions to set up a key…Depending on your vehicle, you might be able to add car keys from a link that your car maker sends to you in an email or text message, or by following steps on your car’s information display.

Keys removed from Wallet can be re-added quickly via Previous Cards. According to the iOS 15 and watchOS preview page, keys appear to come in 2 basic varieties, sharable and un-sharable, device specs are different depending on the type of key.

  • Sharable keys
    • Car keys with Ultra Wideband
    • iPhones and Apple Watches equipped with U1 chip (iPhone 11 • Apple Watch 6 and later)

    • Car keys (NFC)
    • Home keys
    • iPhone XS • Apple Watch 5 and later
  • Un-sharable keys
    • Office key
    • Hotel key
    • Device requirements may vary by hotel and workplace

All keys work in Express Mode as keys, unlike ID, require Express Mode to be useful. iPhone XS with A12 Bionic powered NFC supports Express Mode Power Reserve, a huge performance difference from previous Apple Silicon. The extra 5 hours of power reserve key access with a drained iPhone battery are crucial and it’s understandable why Apple set iPhone XS as the base iPhone for using car and home keys.

There might be conditions for office and hotel keys depending on the key issuer. In Japan for example iPhone 6s, iPhone 6s Plus, iPhone SE (1st generation) cannot be used for FeliCa based key access, hence the ‘device requirements may vary’ tag.

One more issue here is that mobile key issue is a complex process for hotels, and one assumes offices as well, one that usually requires an app with an account to securely issue a mobile key with set limitations (time, area, etc.).

It’s important to note that issuing digital keys is only one step of the complex process that allows guests to bypass the front desk. Apple’s announcement certainly does not spell the end of the hotel app as we know it…

It’s a big step toward streamlining a process that has, until this point, prevented many guests from using their phone as a digital room key. But, Wallet only solves one segment of the end-to-end operation required to get a guest checked in and room access issued. The bigger issue is connecting identity with access, which requires many more steps beyond issuing a key.

How Apple’s Newest Features Will Affect Hotel Check-in

Pairing an identity with access is the core issue of key issue. If I had a crystal ball to read, I might see a future where your ID in Wallet is the only confirmation needed to add a key directly in Wallet, no apps. It would be nice if things turned out that way over time. Perhaps that is one of Apple’s goals for releasing home-hotel-office keys and ID at the same time.

Wallet expansion and housekeeping
The last improvement is that iOS 15 Wallet now holds up to 16 cards. The previous limit was 12 cards (8 cards for pre-A11 iPhone). If you have trouble adding more than 12, remove one taking the total down to 11 cards, then add more cards up to the new limit. The limit is defined as cards that use the secure element for transactions: payment cards, transit cards, keys, and ID. Passes don’t count and used passes are automatically cleared and stored in the new archived passes category. One hopes Wallet will do similar housekeeping for expired hotel keys in later iOS 15 releases.

The expansion seems trivial but 4 more parking spaces in Wallet garage is a godsend not only for card otaku but also for regular users who already have lots of payment and transit cards. The housekeeping changes are appropriate and timely, going forward we’ll all be adding car, home, office, and hotel keys along with our driver’s license to an ever growing Wallet.

UPDATE
An earlier edit of this post incorrectly stated that watchOS 8 Wallet did not support hotel and office keys (they were not listed on Apple’s watchOS 8 preview page but mentioned on a separate PR release). Apple PR reached out regarding the error and has been corrected.

Last updated 2021-09-15

UWB Touchless Express Transit and Apple Pay for iOS 15?

A recent sudden surge of hits from Hong Kong accessing my December 2019 UWB Touchless Mobile FeliCa post seemed odd. I dug around and it appears that Hong Kong MTR, like JR East, is making noises about incorporating UWB technology in next generation transit gates.

iOS 14.5 added a new PassKit call for Bluetooth and the U1 chip integration since iPhone 11 and Apple Watch 6, coupled with global FeliCa support certainly puts Apple ahead of the game. I have no idea what WWDC21 will deliver but more UWB integration is a given.

Apple only mentioned UWB Touchless at WWDC20 in connection with digital car key without showing anything because the Car Connectivity Consortium Digital Key 3.0 spec was a work in progress. Now that the spec is in-place with BMW said to deliver car models incorporating UWB Touchless this year, will Apple show it in action? I think it’s highly likely, but since Car Key is a ‘Wallet Card’, and Wallet app Express Cards come is 3 types: Transit, Student ID, and Car Key, the more interesting question is…will Apple also show Touchless Transit and Student ID Express Cards? And what about Apple Pay?

People think Touchless is a completely new thing for ‘keep smartphone in pocket’ transactions, and they worry about security. You can’t blame them because marketers are selling the in-pocket payment experience. However, Touchless is simply long distance NFC without NFC. All UWB Touchless does is describe the frequency to use Bluetooth instead of NFC. The background stuff, secure element and so on, is exactly the same. This means user interaction is the same. For walking through transit gates and security doors, or unlocking your car, the convenience of Touchless is easy to understand: no more NFC tapping, just keep moving.

What about Express Card payments? The current Apple Pay Suica payment checkout experience: the user taps Suica on a touchscreen, or tells the clerk “Suica” then holds the device to the reader. The user has to give consent before the transaction is activated by checkout staff or the self checkout reader. For Apple Pay EMV transactions users have the extra step of confirming a transaction by Face ID/Touch ID to complete it.

Realistically however, in what situations does Touchless make store checkout more convenient and faster? Drive thru certainly, supermarkets…maybe, but most stores will probably not want to invest in Touchless without a good reason when the NFC readers they already have installed get the job done. There is one more interesting role that Apple has planned for UWB however, one that promises to improve the entire Apple Pay and Wallet experience: communicating with the reader before transaction to select the right Wallet card for the job, at a distance, for a truly smart Wallet app. With national ID cards, passports and more coming to Wallet at some point, UWB could be the Wallet reboot we really need.

And then there is EMVCo. The problems with UWB Touchless for EMVCo are that: (1) Touchless only works with devices with batteries, á la AirTag, and doesn’t work with the current plastic card model, (2) UWB + Bluetooth level the digital playing field with FeliCa and MIFARE, no more ‘real’ vs ‘who cares’ NFC hardware flavors to split hairs over. The plastic card NFC limitation is probably a bitter pill for everybody but especially for EMVCo members and issuers as plastic card issue is big business, and many customers are more comfortable with plastic cards. For those reasons I think EMVCo will be the last to support UWB Touchless, if they do at all. On the plus side Touchless does give digital wallet platforms an edge to create smart aware wallets, digital does NFC and Touchless, plastic only does NFC. We’ll find out about Apple’s UWB Touchless roadmap at WWDC21.