A month ago, I wrote a paper on the emerging mobile payments ecosystem, which devotes a section to Google Wallet, its strategy and the challenges it face. You can read the whole paper here: http://www.box.net/shared/fsiv1bu7ugrpp814aucx
Google's Strategy:
Google has indicated that it will not collect an interchange fee on transactions made through Google Wallet which shows that it has its eye squarely focused on the Payment Context. Google understands it stands to gain very little from the current revenue and expense sharing arrangements in place today for traditional payments. Google expects to employ a strategy similar to where they made Android a compelling “better than free” option to handset makers by offering to share a portion of search-based advertising revenues generated through the Android ecosystem.
Google also plans to lease space on its wallet solution to banks for free, compared to ISIS who will charge a rental fee. Google however has not made clear as to whether it plans on controlling the secure element outside of Nexus S, on handsets that run Android, despite not being in direct ownership of the master keys.
Challenges to GW:
Google Wallet's secure element resides on the handset, which is different from Carrier led mobile wallet initiatives(e.g. ISIS). Google Wallet is designed to be interoperable, so as to attract more partners, but so far its olive branch has not been met with reciprocal affection from other players in the payment ecosystem. If ISIS Carriers (Verizon, T-Mobile & AT&T) mandate that any and all mobile wallets must work through ISIS to function on their carrier networks, Google may be forced to modify Google Wallet so as to work with a SIM based secure element.
Also Google Wallet’s launch outside of U.S may run counter to European mobile operator’s current business model where they charge fees to banks and other service providers for putting their NFC applications on SIM cards owned by the Telco’s. As Google attempts to court European banks to be part of the Google Wallet initiative, this could deter European mobile operators from adopting Android handsets if Google continues to unilaterally control the embedded secure element. Even though Google Nexus S supports SWP (Single Wire Protocol) that allows a mobile operator to put the secure element in the SIM, Google has opted not to enable this capability in Nexus S.
It would be great to hear other opinions on what I outlined above, and within my paper.
Really excited about how this is all going to play out. I'm hoping for lots of NFC support with upcoming phones, but if the stickers are really easy to get I'd be willing to try them out as well.
Anyone got any comments/info/insights on the tap and pay thing?
I haven't read anything on the security model but from a high level it seems like its going to be a cluster f/k of fraud to me, loose your phone and you're loosing direct access to your finances.
I've had a few conversations here and there but everyones opinions seem to be the same as mine... anyone with anything to placate my fears? because this seems like something I'm going to avoid by a huge distance.
Doesn't sound any worse than regular credit card transactions, where signature verification and ID checking are never done. It might even be better, since you can lock your phone, and presumably wire it to wipe remotely or after some failed guesses.
If the wallet is something you have to manually summon and isn't running in the background all the time, it'll be safer than the contactless RFID credit cards out there now.
If you're in the US, if your card does get stolen you'll only be responsible for the first $50[1], just like if you were paying with plastic or online.
1: Legally; some cards protect you from the first $50 too, but none will make you responsible for more than $50.
Yeah I wouldn't be impressed with that. My cards don't have any amount to pay when I get compromised. Which is good as I booked a trip around Thailand and used my personal credit card for it, and used pre pay cards when I got there.
I got back and within a few weeks I started getting transactions booked to personal card. I delibratly didn't use that card this time (as this happens all the time when I head to Asia) and hence why I got the pre pay cards. But either Bangkok Airways, Air Asia, or JetStar have had there systems compromised, as sure enough like clock work the fraudulent charges started.
Luckily you mention asia and credit card fraud and you don't even have to supply evidence, Master Card just roll the transactions back immediatly and cancel the card. I guess its cheaper for them to do that waste time getting evidence for each incident.
Is it really all that different from losing your wallet? You can protect it with a pin number (http://www.google.com/wallet/how-it-works-security.html) so it sounds kind of like losing a debit card in that respect. You can still cancel your cards as soon as soon as you've noticed that you lost it as well. I wonder if the federal laws limiting credit card fraud liability to $50 will also apply here. If they do then I'm even less concerned about it.
Yeah it is alot worse because my wallet needs signatures, has things like photo id on my credit card.
One thing about that interface is how large the display is, it would be damned simple to catch someones PIN from a distance. I mean even current systems I see my friends PINs without trying ... on small covered terminals, not a 7" screen.
A nice shiny phone would slip out of someones pocket a lot easier than wallet as well, I would hazard a guess its going to be a boon for pickpockets at events. By the time you could cancel the account they could of stripped hundreds of dollars.
But thanks I will do some deeper reading around that link.
No one ever checks your signature and most stores have customer swipe pads these days, so it's not like the cahsier even touches your card in a lot of transactions.
Is that in the US? seems very relaxed to other countries I have been in. I've been declined in London, Ireland, Austrlia, Thailand, and New Zealand over my signature. From emeory I have never been checked in Spain which is notorious for credit card fraud... and I dont remember getting checked in Germany either... although I may have used a standard debit card with a PIN while I was in Germany.
Anyway I have my sig upside down on my card to create a point in time when I can proove fraud has begun (because travelling is a b/tch and after every trip I end up replacing my card and filling out forms to reclaim fraud).
I often get pulled up and have to show a secondary ID, my passport or something to prove my upside signature is infact upside down.
i don't even sign the back of my card, because they are supposed to ask for a license at that point. Its very rare anybody even looks at the credit card. Even the signature doesn't matter anymore as most of the digital pads are ineligible what you write anyways. Its just swipe and done.
"Visa will also push dynamic authentication to overcome any security worries and encourage adoption. With dynamic authentication it would be hard for a criminal to use a card at a point-of-sale system even if payment data is compromised. Visa will support personal identification numbers (PINs) and signatures--so called static authentication--but expects both to give way to dynamic authentication."
So keep better track of your phone then. The same vulnerability exists for your wallet or your keys, of course, but we've already accepted that.
This is the future. In some shockingly few decades from now it will be uncommon to carry a wallet or keys. Everything will be digital, everything will be mediated by your phone (or something similar), identity, payment, security, etc.
No the vulnerability doesn't exist with your current wallet because it has analogue trappings to prevent theft. For example my current contents require PIN as well as signature as well photo IDs on cards.
This type of fraud is so high in Britain that my cards issued there have an extra chip in the cards to slow down theives.
Although I was living in Britain when they first released 'chip and PIN' and the crims had working scanners 2-3 days after launch.
The level of determination and skill the bad guys have is amazing, and I currently see this cell phone move as a step in there favour and not mine.
The other aspect is people leave cell phones laying around, they don't tend to leave there wallets. I guess having it fully tied to your bank account will add a level of apranoia which may stop this behaviour. But for example at my last work place it was the joke to wait till someone had left there iPhone at lunch, slip it into your pocket, and after getting back to teh office convince the person they had to go back and get it. Not funny when its you, but funny enough after you watch a work mate walk several blocks and back fuming because he knows one of us has it.
Loosing your keys is not the same as for it to be effective the criminal needs to know where to use the keys, in a sense it has to be premeditated, a completely different criminal scenario.
And yeah I know a few people who have already changed their house doors to keypads and electric terminals. Guess I have a few niche geek friends, but that future is alreayd ehre for some.
Signatures are a joke, nobody checks them (I used to work in retail). And even if people did check them, they're trivial to forge (there's a copy of the signature on the card telling you what it's supposed to look like!)
Importantly, it is utterly futile to expect a shop assistant (let's say a waifish 17-year-old girl) to tell a customer (for our purposes today, a 30-year old champion cage fighter still bruised from his last bout) that their signature doesn't look right and they can't complete the transaction. Chip and PIN means any blame and bad feeling is shifted to the terminal -- for better or for worse, "computer says no".
Yep, I picked up a trick while backpackign across Asia for this. My signture is upside down on my card. So if I refute any claim that appears I can point out the fact and show at what point the transactions started.
I travell alot and I've had my gear stolen a few times, and atleast once a year (usually a month after I get back) I have to go through claims processes to remove charges which start appearing. Total pain, and why I'm suspicious of another system that looks atleast as bad as whats already out there.
Another useful term if you're interested in the truly scary data gatherers is "data broker", though good luck finding anything concrete about this shady industry.
If you live in the US and don't use cash for every purchase, I think you'd be surprised how much leeway companies have here. Many logical and straightforward protections won't ever be put into law until after some new privacy crisis comes up. This is one reason why it was so infuriating when google and apple were called in front of congress but AT&T and other cell companies were nowhere to be seen...I assume Congress is OK with that data collection (if they didn't collect location data, who could they subpoena?) but it would have been nice to at least get some of that breathless blog and news coverage aimed at the telecoms.
The hard part is disambiguating customers (which is why loyalty/discount cards are so great for them), but it is really horrifying the amount of credit card history, demographic data, grocery store purchases, prescription information (seriously) etc etc that companies can collect, cross reference, and sell while staying within the law.
I am surprised that more comments do not share this view. It is a cool technology but i worry that there are too many ulterior motives behind wanting to control your wallet on your phone. I also am not sure if the convenience factor is high enough encourage use. I can already tap my credit card against the gas pump or even at a Starbucks but I think I only done it once. I would not use it to get coupons or targeted ads pushed to my phone. Expense tracking is the only use case that interests me but with so little coverage it would not support that yet. Think what will happen is you will have a Visa app, MC app and an Amex app and then have other apps that will interact with them securely and letting you control your privacy.
This is pretty FUDdy. Think about what you are saying. That somehow, just because Google built the OS level software to support this, that they will necessarily put hooks into it to collect the record of transactions.
I quote: "Transaction information - When you use Google Wallet to conduct a transaction, information regarding the transaction may be stored in the Google Wallet Application. We may collect information about these transactions from the Google Wallet Application. We also collect transaction data from your use of the Google Wallet Service. For example, if you use the Google Wallet Application to make a purchase at a merchant or download a merchant coupon, we may obtain information regarding that transaction from the Wallet Application, from the merchant and/or a partner, as applicable. The information may include the date and time of the purchase, the store location, the amount of the purchase, and the offer associated with the transaction. "
I have no reason to believe that they are. It seems to me that the burden of proof is on those who are making the accusation that Google will be collecting this data. I am suggesting that we have no idea, and in fact I think it would be pretty shocking if Google were actually to collect that data. Hence my accusation of FUD. But if you have some sort of evidence please share it.
Here's a thought experiment: my Android phone has a camera in it. Do you also believe that Google is collecting every picture I take without my permission?
Technically neither does the transaction data. I mean, there's no technical requirement that transaction data needs to be stored on a central Google server.
They could have made some arbitrary statement like "by using the camera app you give us access to all of the pictures you ever take, so that we can back them up for you."
Maybe I'm misunderstanding google wallet, but isn't this exactly the kind of data that you would expect for it to collect? I'm not too shocked when my credit card statement has a list of merchants, addresses and times of purchases, nor when amazon (and newegg, and paypal, and...) has a list of items and dates purchased, which in turn influence the items they recommend to me for future purposes.
On the other hand, if you don't feel comfortable with google being the clearinghouse for the information...super? Use something else (and spur competition!). The OP's statement seems as monumental as which brand of credit card company he uses (and somewhat willfully blind in light of the information they can and do collect...much more than appears on our credit card statements).
Why? Is that really much worse than the huge amount of data they most likely already have about you? Unless Google gets hacked (and stores your financial info in an insecure format), or decides to steal your money, I don't see the risk being any greater than having your primary personal or business email account with Google.
Wouldn't this kind of thing be perfect for integrating Bitcoin payments into it? Or does it need Google's approval? I think Bitcoin would really take off, once we'd all have NFC phones and all the infrastructure in place.
Google's Strategy:
Google has indicated that it will not collect an interchange fee on transactions made through Google Wallet which shows that it has its eye squarely focused on the Payment Context. Google understands it stands to gain very little from the current revenue and expense sharing arrangements in place today for traditional payments. Google expects to employ a strategy similar to where they made Android a compelling “better than free” option to handset makers by offering to share a portion of search-based advertising revenues generated through the Android ecosystem.
Google also plans to lease space on its wallet solution to banks for free, compared to ISIS who will charge a rental fee. Google however has not made clear as to whether it plans on controlling the secure element outside of Nexus S, on handsets that run Android, despite not being in direct ownership of the master keys.
Challenges to GW:
Google Wallet's secure element resides on the handset, which is different from Carrier led mobile wallet initiatives(e.g. ISIS). Google Wallet is designed to be interoperable, so as to attract more partners, but so far its olive branch has not been met with reciprocal affection from other players in the payment ecosystem. If ISIS Carriers (Verizon, T-Mobile & AT&T) mandate that any and all mobile wallets must work through ISIS to function on their carrier networks, Google may be forced to modify Google Wallet so as to work with a SIM based secure element.
Also Google Wallet’s launch outside of U.S may run counter to European mobile operator’s current business model where they charge fees to banks and other service providers for putting their NFC applications on SIM cards owned by the Telco’s. As Google attempts to court European banks to be part of the Google Wallet initiative, this could deter European mobile operators from adopting Android handsets if Google continues to unilaterally control the embedded secure element. Even though Google Nexus S supports SWP (Single Wire Protocol) that allows a mobile operator to put the secure element in the SIM, Google has opted not to enable this capability in Nexus S.
It would be great to hear other opinions on what I outlined above, and within my paper.