Security weaknesses cool China QR code use

Not all Japanese IT journalists are gaga over QR codes. Takefumi Makino writes on ASCII that QR codes really don’t make much business sense given that Japan already has a massive NFC/FeliCa contactless payment infrastructure in place. It’s so massive that QR payment players Line Pay and PayPay have said they are considering FeliCa cards for their respective payment networks. It’s all about accessing the mature population segment (60 and above) who hold the family purse strings but don’t like using smartphones and apps to pay for things, but they will use plastic.

As Makino san points out, the most attractive aspect of QR is the low cost that cleverly leverages the existing mobile and internet/cloud infrastructure: any store owner with a smartphone can offer contactless payments. Throw in lots of reward point goodies and you have a nice payment platform lock-in. In countries without a long history of credit card use like China and India, low overhead QR codes are an attractive ‘launchpad’ to bigger, better things. But there are well known QR code security weak points.

In China ‘static’ QR codes used for paying parking ticket fines quickly became a scam problem. QR players migrated to one time use/one minute window ‘dynamic’ QR codes, but even those codes have been hijacked from customers waiting in line with smartphone out and QR code ready:

The latest trend in China is paying for things ‘in-app’ or using face recognition technology, both of which have nothing to do QR. Makino san argues that QR is really just a convenient startup technology for contactless payment systems that migrate to better and more secure technologies. I think it is a valid point. Competing payment system technologies like FeliCa/Suica will soon leverage mobile and cloud infrastructure that could eliminate the QR cost advantage. It will be fascinating to see how the QR payment startups in Japan pan out over time.

Advertisements

Yes, QR Codes Suck for Transit

Here are QR Codes in action at subway transit gates in Beijing.

And here is Suica in action.

Working Backwards from the User

The Suica development starting point was a user problem with magnetic card commuter passes. Old style paper passes were visually inspected at gates and could stay ‘in-wallet’ with a clear plastic opening. Magnetic card commuter passes had to be removed from the wallet and feed through the gate reader. Engineers wanted to recapture the simplicity of paper passes with IC cards.

The development process involved a lot or trail and error but Suica turned out not only to be convenient and fast but also user friendly in the way that people use things, in-wallet or otherwise. This is a classic Steve Jobs design principle: start with the user experience and work backwards to the technology.

Smartphones replicate the in-wallet experience as ‘Express Cards’ on digital wallet platforms like Apple Pay and Google Pay. The user pulls out the device and holds it to the reader. No unlocking or Touch ID/Face ID required.

QR Codes and EMV contactless on smartphones share the same transit problem of old magnetic card passes: they are not ‘in-wallet’. Devices have to be unlocked to open an app or perform a biometric authentication. This problem is compounded by poorly designed transit gate QR and EMV readers that end up forcing users to adapt to the technology and it slows everything way down. This is a design failure that would never meet the requirements of Tokyo stations where a gate has to clear 60 people a minute.

What’s fascinating to me is the assumption by some people in China, Hong Kong and even Japan that the QR Code success in China automatically qualifies it as a global payment standard regardless of the technology and business models already in place. This doesn’t ring true to me, there is something else going on.

China for example has put a lot effort into creating and promoting the China T-Union transit card standard which can be added to MI Pay, Apple Pay and Huawei Pay. Nevertheless there are not many people using China T-Union in the video. The Japanese tweet comments say that recharging China T-Union cards are not very convenient and do not offer the point goodies that AliPay and WeChat Pay do. Bingo. Is it really is that simple?

Technologies that have viable business models attached to them work better in the long run. FeliCa fares better than China T-Union or CEPAS (EZ-Link) because a transit platform like Suica does better job of attaching services and point goodies on the back end. Perhaps if China T-Union had a better business model that offered more recharge reward goodies and services on the backend to compete with QR ecosystems people might use it more, unfortunately business promotion is hard for government run transit authorities.

Japan Cashless Map for 2019

The Crowd Cast cashless map illustrates the rich variety of Japanese payment platforms

Because of its long history pioneering many of the technologies used for contactless payments, Japan is one of the most interesting, complex and difficult markets to study and analyze cashless payment trends. Accurate analysis of Japanese cashless/contactless payment trends is challenging because of fragmentation and regionality. Every market report or survey is just one tiny fragment of a much larger moving picture. An accurate map is good starting point.

Fintech startup Crowd Cast, Ltd. CEO Takashi Hoshikawa has a blog and posted a handy helpful cashless map for 2019. It’s not perfect however so I tweaked it a bit to clearly outline the 3 basic cashless groups: plastic cards, NFC, QR.

Digital wallets like Apple Pay and Google Pay work with all the NFC flavors (A-B-F) but Apple has made a much deeper investment integrating FeliCa into the basic technology bundle that powers Apple Pay alongside EMV, delivering it globally as a payment solution that “just works”. EMV contactless is called NFC Pay in Japan and is slowly being deployed alongside existing FeliCa payment networks so that POS systems and readers “just work” with everything. Hopefully it will all be up and running in time for the 2020 Tokyo Olympics.

QR Codes are not big outside of China and I don’t see conservative markets like Europe or the US taking them up. Japanese QR Code payment platforms are cropping up thick and fast but availability has not translated to actual use. ICT Research & Consulting has released a market report on mobile cashless payments (for ¥95,000) that basically covers 2018 with a web survey of 4,062 participants. The teaser page offers a few interesting free data tidbits. I don’t trust web based surveys as a tool for analyzing a highly regional and fragmented market, but the cash vs cashless chart illustrates exactly what I wrote in the Apple Pay Japan One Year Mark: people use contactless payments like Apple Pay for coffee and train fare but do not use Apple Pay for buying a couch. However the chart offers an interesting point: Japanese people use (plastic) credit cards for larger purchases and cash for smaller ones.

3EF3A55A-CFA7-42E9-B26C-9BB848735FEE

The Apple Pay Japan Story so far
Japanese IT journalist Junya Suzuki predicted that Apple Pay would be the ‘black ship’ that would revolutionize contactless payments in Japan. Apple Pay turned out to be the match that finally lit the fuse of the huge Japanese contactless transit and payments infrastructure investment and launched it into orbit. The global FeliCa iPhone is a inflection point that many people have yet to recognize, one that will soon provide Apple Pay another growth opportunity in Hong Kong. A year ago I wrote:

Apple Pay in Japan is all about Apple Pay Suica which we already knew. In the Suica home base area, the Kanto region, contactless payments grew from 20% of total transactions to more than 40% in the year that Apple Pay Suica has been available… What used to be ‘some people some of the time’ is quickly transitioning to ‘most people most of the time’.

Stores and businesses interviewed for that post report that contactless digital wallet payments (Apple Pay, Google Pay, Osaifu Keitai) use continued to grow throughout 2018 but nothing is simple or straightforward:

  • Apple Pay Suica continues to drive the Apple Pay story in Japan but is highly regional as initial uptake is tied to commuter passes which are currently restricted to the JR East rail network. Nevertheless Suica issuance continues double digit growth. Japanese customers prefer easy to use prepaid cards, they will always be the gateway to cashless for the majority.
  • Only 30% of iPhone users with Apple Pay Japan capable devices (iPhone 7 and later) use Apple Pay. I suspect Osaifu Keitai and Google Pay uptake is similar or lower.

The upcoming 10% consumption tax increase will offer incentives and tax discounts for cashless purchases. The cash vs cashless trends outlined above are positive signs that change is possible with the right set of incentives and ease of use environment:

  • Plastic will continue to be king with prepaid cards the king of kings. One of the many advantages that digital wallet platforms like Apple Pay have over QR Code platforms is that plastic cards are always there as a last resort physical option. This is very important for many customers, especially the elderly. And they don’t need a battery.
  • Reward point systems and cards need to be digital (such as VAS powered Ponta) that automatically link with the appropriate transactions. Digital wallets only replace physical ones when everything can be matched and loaded on smartphones.

For Apple the key will be getting more Japanese iPhone customers to use Apple Pay by making different service parts work together in new ways that don’t play together well, i.e. the sum must be greater than the total of the parts. Think Rakuten. Rakuten has done an excellent job building an ecosystem of e-commerce, travel reservations and other services that offer members large discounts and points. This approach will pay huge dividends when the 10% consumption tax arrives October 1.

More Smart Octopus

I assumed the Smart Octopus Coming to Apple Pay post would be ignored in the end of year rush period. However the timing perfectly coincided with an Octopus Cards Limited press conference where the CEO demurred any Octopus tie-up with Apple and the post got much more attention than I ever anticipated. Obviously there are lots of iPhone users in Hong Kong who want Smart Octopus Apple Pay. A few readers were confused by the situation and asked for some clarification.

First of all the source who correctly predicted last years Smart Octopus on Samsung Pay launch tipped me about the Apple Pay launch. That in itself was enough for me but here’s the thing: if Octopus Cards Limited (OCL) is really serious about expanding Octopus use on mobile platforms, taking the next step of getting Smart Octopus on Apple Pay is the only way to achieve that.

Digital Wallets like Apple Pay and Samsung Pay are the most tightly integrated NFC software and hardware digital wallet platforms out there with integrated FeliCa, but Apple is the only one to implement the necessary Secure Element on their own A Series/S Series hardware with FeliCa Networks keys, and sell the package globally. All the major NFC technologies are standard on Apple Pay: NFC A-B-F, EMV, FeliCa, MIFARE, VAS.

Smart Octopus on Google Pay might look nice on paper but it can’t achieve anything of scale yet because of the highly fragmented nature of Android: to date hardware manufacturers have yet to produce an answer to Apple’s global FeliCa iPhone and Apple Watch, even though everybody’s smartphone has a NFC A-B-F chip. Not even Google has pulled it off. Huawei says they are planning to add global Felica but it will take time.

OCL is playing coy because majority shareholder Hong Kong MTR has added QR Codes and EMV contactless to the transit gate mix removing the exclusive Octopus Card franchise, but the technology and market politics don’t mesh. On one hand you have a fast, established and ‘open’ in-house contactless payment system (as in anybody can buy a plastic Octopus card and ride) basically run by public transit companies. On the other hand you have slow and ‘closed’ contactless payment systems (as in only people with certified credit cards and bank accounts can ride) run by major outside credit/debit network companies chipping off money from both customers and transit companies.

In this context putting Smart Octopus on Apple Pay isn’t just adding a card to a digital wallet platform, it is also a statement of who ultimately controls, operates and benefits from the public transit gates. It’s more about market politics than technology, in other words another battle in the contactless payment turf wars. The outcome will be fascinating to watch but determines whether Octopus will remain a great transit payment platform for Hong Kong with a future, or not.

Update
It looks like we’ll have to wait a while longer for Smart Octopus on Apple Pay.

PayPay Troubles Quash QR Code Hype

SoftBank’s network meltdown was only the start of QR Code PayPay troubles. The 100 Million Yen giveaway startup campaign that was supposed to run December 4~March 31 was suddenly and unceremoniously shutdown at 11:59 pm December 13. The official excuse was that 100 million yen had been given away, but then Japanese tweets started appearing complaining of credit card holders charged for PayPay purchased items that they did not purchase. There were also reports that store staff were not checking customer IDs which they are supposed to do with PayPay purchases over 30,000 JPY. Last but not least once you register a PayPay account, there is no way to delete it.

2 days later top Japanese tech journalists Tsutsumu Ishikawa and Junya Suzuki started to pick up the story on Twitter. PayPay PR answers to Suzuki san’s questions were particularly damning: PayPay apparently allowed unlimited attempts to register credit card numbers and security code numbers, reported credit card fraud cases are “in the double digits” but PayPay does not have a handle on the problem and requests that anybody with suspicious credit card PayPay charges to contact the company (good luck with the user unfriendly ‘Help’ page). Yomiuri later reported that card frauders apparently used stolen card identities to register PayPay accounts with unlimited security code attempts. PayPay PR says this security lapse has been fixed.

Ishikawa san summed it up nicely: somehow it’s so ‘SoftBank’ that the very campaign meant to kick start a QR Code payment boon in Japan ends up destroying the opportunity to do so.