More markets, more payment options, more US-exclusive features:
http://pocketnow.com/2016/10/26/samsung-pay-more-countries-in-app-online-support
More markets, more payment options, more US-exclusive features:
Published
More markets, more payment options, more US-exclusive features:
http://pocketnow.com/2016/10/26/samsung-pay-more-countries-in-app-online-support
Skimming a few percent on each credit card transaction is good money which is why they all want to start their own credit card or equivalent service. If you want them to consolidate you need to think up a system that penalized the current Balkanized system.
Wolfgang Rupprecht You are probably right. There also is the plethora of loyalty cards which also could be tied into this. Basically, I am tired of my wallet looking like a card deck.
Wolfgang Rupprecht Actually, the “skimming” bit would still be there as part of their payment service. It is the lack of a common front end that is the issue.
It strikes me that the real issue is that there isn’t a universal and cryptographically strong authentication method. If there were we’d only need one app to prove our identity to merchants. They could then map that identity to a credit card or store credit account.
Wolfgang Rupprecht Two factor using the phone should be fairly robust, edit: and can even include the use of biometrics.
They can have as many solutions as they like as long as they are all compatible with every endpoint. Leave it to the user to decide what they want to use.
Same goes for mobilpayment like vipps, mobilepay, etc. If I have one and you another it should still be possible to send one another money
I’m not a fan of either biometrics or what goes for 2-factor. Biometrics are usually used as passwords when they are more like user names. They aren’t secret. Using them as a secret opens one up to very simple attacks (like lifting fingerprints from the phone in order to unlock the same phone.) 2 factor as implemented usually just means sending a text message to a phone number. That is notoriously easy to intercept or even re-route. There are already reports of attackers attacking victim’s phone numbers by porting them to their own phones.
Real end-to-end public key crypto would solve all that, but then none of the credit card companies want that. They are afraid of losing sales when the internet connection or the computer at their end is down.
I’d like to be able to generate “derivative credit cards”, with limit and validity period I define. Not physical cards, but something I could use to pay online with without worrying too much about the details leaking.
Wolfgang Rupprecht We have a national service called BankID – it uses SMS + SIM hosted cryptographic delivery of a challenge phrase, and can use biometric verification if the user choses to do so, or a pin with 4-16 digits, which returns another encrypted SMS. It is used for online payments – web or app – and has, AFAIK, no known incidents of spoofing.
Asbjørn Heid That is a very good idea!
There are many documented vulnerabilities of SMS for 2-factor. The simplest one is just tricking the user to download an app that intercepts SMS. Another is to send a message to the user that suspicious activity has been reported on their account and they need to send them the verification code that they will receive shortly to prove that they are the correct owner. The attackers then perform a password reset request and the service dutifully sends a verification code via SMS which the user then sends to the attacker. I’ve also heard of the attacker simply buying a burner cell phone and having the victims phone number ported to their phone. Verification for porting a number appears to be very weak, at least with some cell phone providers. The way these things work it takes a while for attacks to catch on with criminals, but once someone breaks the ice it spreads around the community.
Wolfgang Rupprecht As I mentioned – for the Norwegian BankID system, the SIM contains the crypto and identification part. When you change SIM/Phone, you have to go through rather rigorous validation process again. Intercepting the SMS doesn’t enable the attacker to “take control”.
Asbjørn Heid Agreed. Phone payment apps should be able to make a “one time pad” debit/credit card number valid only long enough to complete a transaction.