Flaw Found in Barclays Contactless Card

ViaForensics recently discovered that user data can be stolen from NFC chips in Barclays Visa card without users even knowing about it. The investigation was done in conjunction with Channel 4 News. 

"All I did was I tapped my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card," Thomas Cannon of ViaForensics told Channel 4 News. "That includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air." 

Typically, this would not be enough information to perform "cardholder not present" transactions over the internet or the phone, because most retailers require the three-digit signature (CVV) code from the back of the card and a valid address. However, during the course of the research it was found that there are some major online retailers that do not require this information. 

For example, Channel 4 News was able to create a new account on Amazon's website, with a different name and billing and delivery address to the card they scanned, and was able to order and receive products without any link to the cardholder. Amazon does not require the CVV code on the back of the card to process purchases.

For more information, click here to find out more information. 

NFC Used in Hospital?

There is an interesting usage of NFC in hospital. According to California based Identive Group, the company has partnered with WPG Americas to provide NFC solution to transfer data from high-end medical imaging devices to multiple exam room monitors throughout a provider's office, without cables, wires or additional network investment. Here is how it works: 

The innovative new solution utilizes NFC tags and readers from Identive with software from WPG Americas that associates the images from a digital x-ray camera with the patient records. An NFC tag is affixed to the digital radiography camera. The tag is simply tapped on one of Identive's SCL3711 NFC readers that are attached to the computer in each exam room. The associated software then reconfigures the wireless communication between the camera and local computer to transmit the x-ray images from the camera and associate them with the appropriate patient record.

"NFC technology makes it possible to move much of what we do in the physical world to the virtual world, in a way that is easier and more convenient. In the healthcare market there are dozens of areas that will benefit from the use of NFC, from making treatment information available to managing patient records. Partnering with WPG Americas on this NFC transfer solution allowed us to benefit from their extensive understanding of the medical office environment and their strong engineering expertise," said Dr. Manfred Mueller, Executive Vice President and Managing Director of Identive's ID Infrastructure division.

"By making it easier to transfer x-ray images from digital sensors to computer viewing monitors in multiple exam rooms, we can help doctors, dentists and other healthcare providers extend the value of this expensive equipment while ensuring the images are associated with the correct patient," explained Dave Bowers, VP Supplier Marketing for WPG Americas. "With their growing portfolio of NFC readers and tags, Identive is becoming known as the go-to company for NFC solutions. We are excited to continue our successful collaboration as we work together to extend this NFC pairing solution to other applications."

Berg Insight Said NFC Phone Sales to 100 Million This Year

According to research firm Berg Insight , about 100 million mobile phone with NFC will be sold in 2012, about triple the sales from last year.

Handset vendors released more than 40 NFC-enabled models in 2011, hoping to tap emerging market for mobile payments.

NFC enables data to be exchanged wirelessly over distances of a few centimeters, meaning mobile phones can be used to pay for goods, store electronic tickets, download music and swap photos and business cards.

Berg Insight said it expects the global market for NFC phones to grow to 700 million phones in 2016 from 30 million in 2011.

Boku Unveiled NFC-Based Mobile Wallet Service with MasterCard

San Francisco-based Boku recently announced the partnership with MasterCard to offer mobile wallet service to enable consumer to make mobile payments.

BOKU Accounts enables merchants to create easy-to-manage loyalty programs as well as targeted offers to reach customers through mobile apps, SMS text messages, push notifications or e-mails. The platform also offers consumers real-time visibility into spending and budgets tied to their account. The online campaign management system of the BOKU Accounts platform also provides merchants with sophisticated analytics so they can manage and modify these offer programs over time to maximize consumer reach and repeat business.

The BOKU Accounts MasterCard Prepaid card is issued by IDT, which is a regulated bank, licensed by the Financial Services Commission (FSC), Gibraltar, under the Banking Act 1992, pursuant to a license from MasterCard International Incorporated. Issuing banks will vary based on geographic region.

Apple Awarded Patent on Parental Controls

Apple recently was awarded a patent (US 8,127,982) on parental controls. Here is the abstract of the patent:

Various techniques are provided for establishing financial transaction rules to control one or more subsidiary financial accounts. In one embodiment, a financial account management application stored on a processor-based device may provide an interface for defining financial transaction rules to be applied to a subsidiary account. The financial transaction rules may be based upon transaction amounts, aggregate spending amounts over a period, merchant categories, specific merchants, geographic locations, or the like. The device may update the financial transaction rules associated with a subsidiary account by communicating the rules to an appropriate financial server. Accordingly, transactions made using the subsidiary account by a subsidiary account holder may be evaluated against the defined rules, wherein an appropriate control action is carried out if a financial transaction rule is violated.

I had a difficult time to understand the meanings from this abstract and the following figures from the patent may help understanding the content.

This patent is actually pretty good way to allow parents to control how much their children on certain credit cards. Currently it's not easy for parents to monitor what their children spend using the credit cards. Although there is a limit for children's cards, parents have no way to control what their kids can buy as long as the purchase amount is less than the available credit line. The beauty of this patent is that parents will get a notification on their phone at the time when certain purchases are made. Parents have the choice to accept or decline the authorization for the purchase. The notification can be triggered by certain business rules, like single purchase amount. Another interesting feature is that Parents can also review the account summary, transactions via iTune. Apple has controlled the songs apps on iphone/ipad and it will control next big one, Wallet.

Here are some interesting figures from the patent.

NFC-Enabled Smart Washing Machine?

Have you ever NFC-enabled smart washing machine? Yes, there is one from NXP.
MoreRFID reported NXP is currently showcasing a new RFID and NFC-enabled smart washing machine at Embedded World in Germany.

The washing machine reads information about the fabric type and color from RFID-tagged buttons, helps you avoid mixing white and dark laundry, and optimizes the washing program based on the characteristics it reads from both the clothing and the detergent itself. 

 Using an NFC-enabled phone, an authorized maintenance technician can perform diagnostics on the smart washing machine onsite, change its status, upgrade firmware, and launch an app that communicates directly with the manufacturer's service center using the phone's built-in 3G connection. 

"Major home appliances are becoming 'smarter' by the day - yet we've only started to explore the universe of possibilities when it comes to two-way communication," said Jan Willem Vogel, senior director, industrial applications marketing, NXP Semiconductors. "We're particularly excited about our new smart washing demonstrator, which brings together our advanced application insights, our expertise in RFID and NFC, as well as our broad-based understanding of the complex sub-systems driving white goods today. The demo also showcases the breadth of NXP's portfolio - the most extensive in the semiconductor industry when it comes to home appliances."

TazTag Launches Android Phone with Features like NFC and Zigbee

A French company, TazTag, introduced a new smartphone that supports NFC, Zigbee, and Secure Element. Called TPH-ONE, the phone is based on Android 2.3 Gingerbread. The TPH-ONE is going to be available in March.

According to TazTag, TPH-ONE runs on an 800 MHz Qualcomm processor, with 512 MB of RAM, 512 MB of storage, a Micro SD slot allowing up to 32 GB more storage. The phone has a 5 MP auto-focus camera with a 0.3 MP front-facing camera. The display is 4î, with a 480 x 800 resolution. The phone can be used in home automation, smart energy monitoring, set top box smart user interfaces, and mobile payment.

For more information, click here.

Visa Reached Deal with Intel and Vodafone Targeting Mobile Payments

Vodafone plans to install Visa's payWave platform on smartphones that have NFC support. The company will launch the service first in some countries in Europe, including Germany, Netherlands, Spain, Turkey and UK this year.

According to Vodafone CEO Vittorio Colao, "The Vodafone mobile wallet represents the next stage of the smartphone revolution."

The potential benefit for Visa could be huge as currently Vodafone has about 400 million customers in more than 30 countries.

PC Magazine  reported payWave techology is from Oberthur Technologies and Visa signed a deal with the company to allow customer to use their phones to pay for goods and service via NFC. However, there is an interesting twist.

However, Visa will be required to approve individual devices for its payment app, providing an additional factor for consumers to consider when selecting a new phone.

....

Here's how it will work, according to Visa: users will need to purchase an NFC phone from their carrier. That phone will have to be approved by Visa. Then, the consumer will need to contact either their own bank, financial institution, or another service provider, and set up an approved account with Visa. Once that back-end arrangement has been facilitated, the purchase process will be similar to Google Wallet - at the point of sale, the user will enter a PIN, and then Visa will facilitate the payment between the user's account and the retailer.

Greene said that the Visa payWave systems will work with many wallet providers, including Google's own mobile payments solution, Google Wallet. Both Google and Isis, a rival mobile payments system backed by carriers, have committed to a broad rollout in 2012, Greene said, in response to a question about when Visa would roll out its payWave in phones solution.

If you don't like this option, you probably don't have other choices after 2013.

Visa has also set a 2013 deadline to phase out magnetic-striped cards in the U.S.

LG Released New Smartphone

LG recently released a new smart phone, Optimus 3D Cube at Mobile World Congress. 

The new phone is thinner than the Optimus 3D with a 4.3-inch 3D display, 8G internal storage, 1G RAM, 5-megapixel camera with 3D capability. The device runs on Android 2.3 (Gingerbread).

It also supports NFC and LG's Tag+ application. 

PayPal Stays Away from NFC

PayPal recently made a surprised announcement that the company may drop its support of NFC as a way of mobile payment. 

According to David Marcus, VP of mobile at PayPal, "By the time NFC catches up, we'll be in a world that will move away from the point-of-sales terminal."

PayPal expect user to link your phone number with pin protected PayPal account. At the time of payment, user just chooses PayPal, then mobile number, and then pin number. After the payment, a receipt will be sent the mobile phone.

The idea behind this is that user don't have to pull out the wallet or mobile phone. 

In general, this is an interesting idea. However, my issue with this idea is the lack of security. Without the phone or wallet presence, it can be easily stoled and used in many places within a short time. I guess we have heard enough miserable stories about identify theft. Compared with NFC, I would go with NFC.

Google Patched the Security Bug

We reported the news about the security hole in Google Wallet last Thursday. Within a few days, Google provided the fix. Osama Bedier, Vice President, Google Wallet and Payments, announced yesterday that they patched the security hole in the Google Wallet. Here is the statement from Google:

First, Google Wallet is protected by a PIN — as well as the phone’s lock screen, if a user sets that option. But sometimes users choose to disable important security mechanisms in order to gain system-level “root” access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That’s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device. 

Second, we also take concrete actions to help protect our users. For example, to address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon.

 And just like with any other credit card, you can get support when you need it. We provide toll-free assistance in case you lose your phone or someone manages to make an unauthorized transaction.  

Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet. In the meantime, you can be confident that the digital wallet you carry provides defenses that plastic and leather simply don’t.

In addition, the company also announced the ability to issue new prepaid cards to the wallet. If you have issues, call google from here. 

Good Job, Google!

Can your medicine packaging talk?

Yes, they can. Finland based VTT Technical Research Centre recently developed a NFC-based applications  that can help visually impaired people to find out medical information about the medicine package without reading the content.

Here is how it works:

User can touch the info code on the packaging by using the mobile phone. NFC technology can acquire the brief information about the package, feed into the application. Then application can automatically download product and dosage information and can be heard from the phone. 

The project, named "HearMeFeelMe", is jointly developed by VTT, TopTunniste (Finland) Tecnalia (Spain) and Demokritos (Greece). 

The testers' favourite was Top Tunniste's Touch 'n' Tag demo, a mobile phone application that enables visually impaired users to identify everyday items, including food, with the help of voice memos. The phone must be equipped with an NFC reader. To record a memo tag, the user touches the NFC label on the packaging and dictates the information into the phone. The recording can then be listened to by touching the label again with the phone. The test run indicated that the application was most commonly used to mark food packaging. According to the majority of users, it was useful in recognising items and recalling product information. Additional benefit was seen in the possibility of recording the desired information in the user’s own words.

Another demo application was developed during the HearMeFeelMe project, completed at the end of 2011. This was the so-called speaking medicine packaging. When touched, this provides spoken dosage instructions and other important information. The data was stored on the NFC chip by pharmacy staff and could be listened to by the user at home. The demo version was only available for PC, but the application is designed to run on programmable smartphones equipped with an NFC reader and a code scanner.

This kind of application has huge potential, not only for visually impaired persons, but also helpful to old people because of age. Let's wait and see. More information can be found here at VTT.

Security Vulnerability Found in Google Wallet

Joshua Rubin of zvelo recently explained his research in the security of Google Wallet. Rubin discovers that a lost or stolen Android phone with Google Wallet configured could be as bad as lost a credit card.

Google Wallet is currently the only public available NFC-based payment system. It's officially available in Samsung Nexus S 4G on Sprint network. NFC is using Secure Element (SE) to store/encrypt the sensitive data, such as credit card number. It's designed to resist hacking and protect stored data.

To access SE, Google Wallet requires a 4-digit PIN at the first time launching the application. By design, if the phone is stolen, Google Wallet can lock it up completely after a few failed PIN attempts.

viaForensics first came out with a report questioning the security of Google Wallet. Then zevelo researched more in this topic and indeed found the security flaw in the Google Wallet.

As we investigated the data stored in the per-app (sqlite3) database used by Google Wallet, we became intrigued by the contents of the “metadata” table that contained only 3 rows but a large “blob” of binary data in each. The name alone, “metadata,” just seemed like a poor attempt at “security by obscurity” which as we already know, “is no security at all.”

One row in this table has id ‘gmad_bytes_are_fun’ and this appears to be a sort of encrypted file system used for storing data via the SE. The contents of the binary data in this row likely includes the complete credit card information and certainly needs further vetting, but it was not this row that interested us.

Another row had an id of ‘deviceInfo’ and appeared to have much more non-null data. However, this binary data had to be parsed somehow to uncover its contents. After some more digging, we realized that this data was compiled using Google’s own “Protocol Buffers.” This is an open library for serializing data for messages passing between systems. In order to use this data, we had to define a “message format” in a “.proto” file (Protocol Buffer Basics: Java). With our custom “.proto” file in hand, we were able to uncover the contents of the binary data and were shocked at what we found. Unique User IDs (UUID), Google (GAIA) account information, Cloud to Device Messaging (C2DM, also known as “push notification”) account information, Google Wallet Setup status, “TSA” (this is probably related to “Trusted Services” not the “Transportation Security Administration”) status, SE status and most notably “Card Production Lifecycle” (CPLC) data and PIN information.

The CPLC data is a vital part of the communication with the SE. However, it was yet another binary blob that would have to be deciphered, or perhaps it just acts like a “key” to unlock the SE and has no decipherable data within.

The lynch-pin, however, was that within the PIN information section was a long integer “salt” and a SHA256 hex encoded string “hash”. Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time.

Google Wallet allows only five invalid PIN entry attempts before locking the user out. With this attack, the PIN can be revealed without even a single invalid attempt. This completely negates all of the security of this mobile phone payment system.

I am surprised to hear that Google Wallet is using sqlite db as the storage engine to save data, instead of their own db engine. Sqlite is a very good, light weight relational database, but just not strong enough to be as the base for secure database. Sqlite is open source database and all data is in one data file. It's both good and bad. Here's the link for the report from zevelo.

Can't Wait for New NFC-enable iPhone, Here's the Solution

We know Apple is going to launch NFC-enable iPhone in the future. Maybe iPhone 5 or iPhone6. However, if you want the NFC solution for your iPhone to accept credit card payment. Here is the solution.

Canada based Payfirma offers a complete solution for mobile payment including NFC and regular card swiper. Some of interesting features includes:

• Sign receipts right on the device
• After the sale, it can deliver eReceipt via email directly to customer's e-mail box
• It's PCI compliant and secure. No credit card information is stored in the device. 

This new version of payment app can allow business to access real-time transaction reporting with daily, weekly, and month-to-date sales keeping merchants on top of their business. Each transaction is tagged with the location of the sale, so merchants and their customers can see their transactions on a map, right on their mobile device. This gives small businesses a new set of business intelligence to improve their sales and also increase security.

Here is the video from youtube

Microsoft Filing NFC Patent for Mobile Payment Service

Microsoft filed a patent application for "Mobile Wallet and Digital Payment" service last September. Tom's Guide reported

The filing covers a "method that facilitates securing a wireless digital transaction" for "at least one of a good or a service." Microsoft refers to mobile devices that "can include at least one mobile payment card (m-card), wherein the m-card is created by establishing a PKC-secured link to an account associated with a form of currency." The link between a mobile device and a terminal is created via near field communication (NFC), Bluetooth, Wi-Fi, or RFID. 

Microsoft's "m-card" feature is similar to a virtual credit card whose data is transmitted to a payment terminal using upon request. Only a portion of the m-card is sent to and received by the payment terminal, which will then be authenticated the organization that issued m-card and associated it with "at least one of a bank, a credit card company, an investment fund, an online brokerage, a web site, a business, a company, or a financial institution." To authorize a transaction, a user may have to press "a physical input button that can initiate a password entry, a payment, or a password entry completion."

Microsoft Plans NFC in Window Phone 8 'Apollo'

Late last week, there is a leak revealing Microsoft's next big move in the mobile world, Windows Phone 8. Major improvements include NFC, Skype integration and removable microSD card storage. The potential target release time is second half of 2012.

With code name of "Apollo", Window Phone 8 is the next major release about Window Phone 7 "Tango". The new release will also support muti-core SoCs and new screen resolution. 

Like other major mobile players, Microsoft also targets the mobile-payment market by using NFC technology. Unlike Google, Microsoft would let phone carriers to brand the payment system by themselves. 

As Microsoft purchased Skype sometime ago, Window Phone 8 will incorporate Skype's VoIP into Window Phone 8. It could have the potential to increase the data usage by mobile phone.  More related information can be found at Supersite for Windows.

Germans Like NFC

NFC World reported Euro Kartensysteme conducted a survey in Germany about their impression about making payments with contactless cards or NFC phones.

Overall, 43% of respondents to the survey of 1,040 Germans aged 18-59 said they could well imagine making contactless payments in the future. Acceptance levels vary between different contactless payments technologies, however, with 58% saying they would make a payment with a contactless debit card, 50% would use an NFC phone and 41% would use a contactless credit card.

Paris Metro Uses New Cards toward NFC

Paris Metro will use new payment card that is compatible with NFC standard, sometime next year. The new card uses ISO 14443 type B and is compatible with NFC standard. The old system will still be in place with the new system.

Apple to Include NFC in the next iPhone?

DeviceMag reported Apple is seriously considering to include NFC in the next generation of iphone to the market. The NFC will be based on a special chip from Qualcomm.
The potential NFC partner could be with MasterCard. Apple is also developing NFC application for iOS platform in the future. Have heard this rumor many times before iPhone 4S came out. Not sure whether this time is for iPhone 5 or iPhone 6. It's really depended on how you define "next generation".

Nokia going to launch NFC-based Window Phone

Guardian reported that Nokia is working with Microsoft to develop a new top-end smartphone based on Microsoft Windows.
The new phone will have NFC capbility and could be released as early as by October 2012. The current Windows Phone, Lumia models, such as 800 and 900, do not have NFC functionality. Nokia said the new features will "ship with the product that we will ship in the future".

NFC "open" allows Bluetooth pairing without the use of password by tapping the devices to be paired together: an exchange of electronic tokens takes place, so that Bluetooth connection ñ for a hi-fi, speakers or headset ñ can occur within seconds with virtually no other interaction. Current secure Bluetooth pairing otherwise requires the user to enter a password of up to eight digits.

Nokia has shipped more than a million Lumia phones since introducing them in November. The company decided to abandon its Symbian platform for high-end smartphones in January 2011 after Elop decided it could not compete against Apple's iOS and Google's Android mobile operating systems.

Other rumor that Nokia Lumia 900 is going to be launched on AT&T for $99 with a two year contract. The target launch date could be March 18. It's going to be an interesting phone from Nokia.