They say this supports chip-and-PIN, but I don't believe them until they explain how. If I have a chip-and-PIN card from my bank, the chip has an unreadable secret used to generate one-time cryptograms to verify the authenticity of the card. There's no way to get that secret onto my Plastc card. You'd need partnerships with banks to get a new secret the way Apple Pay does. Without those, this sounds like it'll be useless once the chip-and-PIN switch happens in a year or so.
From their website:
"Plastc Inc., this website and the products and/or services offered on this website are neither endorsed, nor sponsored by, nor affiliated with, the above-referenced banking/financial institutions and/or retailers. Each of Visa, Mastercard, American Express, Charles Schwab, Citi, Chase, Bank of America, US Bank, Wells Fargo, and Apple are registered trademarks of their respective owners and this website does not endorse or sponsor any such trademarks or their respective owners."
Interesting that the list of banks is nearly the same as that of ApplePay. I'm glad there are some forward-thinking enough banks willing to push technology forward.
Implementing Apple Pay isn't a technical feat. There's a standard for it.[1] As long as the banks let you access their token generation service, it's straightforward. However, I haven't heard of anyone other than Apple getting that permission. It'll happen soon enough, but the chances that these guys are the first seems slim to me.
I think it might be a bit of a misrepresentation. They will have their own 3rd party payment service ala paypal but you will be able to use the card to decide which payment method associated with that account gets used.
Just a guess! but it would avoid some pretty massive technical hurdles to international acceptance.
As far as the current public information goes, Apple Pay tokenizes your credit/debit card and uses that to pay, which means your bank processes the payment. Apple won't process the payments themselves.
The card connects to your iPhone (for proximity detection) perhaps the card accesses Apple Pay on your phone when making the transaction therefore your phone needs to be in your pocket while inputting the chip and pin? Just a thought.
My point was that there are banks that will never adopt new technologies, then there's the likes of AmEx, Chase, Wells Fargo, etc, who have now signed on to two different (and to a certain extent, competing) technologies that they don't have to adopt, only because it pushes the industry forward.
But yeah, they obviously found a way to implement ApplePay - hell, Apple probably did it for them.
Question is what exactly does "participating" means.
Banks generally hate anything that takes away their branding. Less sleek of this -- i.e. reprogrammable Visa cards -- have been around for a few years but banks never supported them, again because of branding.
It looks like it displays the logo, so it isn't out of the question for banks (now starting to be scared at being disintermediated) to maybe throw in some "support" (aka tepidly allow access). After all, apple pay also reduces branding (and Apple takes a cut), and threatens a lot of the industry as what you pay with becomes a minor manner (and also massively encourages a single default card).
Does Apple Pay actually reduce branding that much? I bet I'm not the only one who saw the Apple Pay demo and noticed that it displays a nice, large, full-color image of the card being used. Cards with a certain cachet, then (AmEx black, other high-end cards) will still be quite prominently displayed. Indeed, a backlit display might even make more of a brand impression than the physical card, in some situations.
I also am not certain that Apple Pay "massively encourages" a single default card. It looked quite easy in the demo to display multiple cards and switch between them. Looked easier than taking a card out of a crowded wallet and putting it back in, actually.
Eh, as far as default goes, it is another step; the second page of google results is easy to get too, but people don't. Part of what generates alternate card usage today is the messy wallet, sometimes the card isn't in the right place, or doesn't come to hand.
Also there are some practical in RL issues that come up with most NFC payment readers (namely a lot of the installed readers have short range, and awkward pad placement) which makes non default much less attractive.
As for the display issue, the issuers concern is that they are pretty limited as far as making things distinct. I mean hell, every card company is going to have black cards. There are no sideways cards, no premium materials, no metallics, etc. They have a relatively small image, which has to still look good even if cropped to lose the bottom 80%. Basically they get space for bank logo, card logo, and a non distracting background.
So if they are willing to give up on all that and a fee, it doesn't seem all that out of the question for them to allow their logos to be used on a flexible card, and (presumably) not pay a fee.
The transaction fees and 15% interest they collect on your charges is probably more important than branding, though, and they'll still get that with this.
Same for loyalty cards. Commercants are eager to give you a card or an app because the want to be seen all the time in your wallet/mobile and you have to carry it around. They probably wouldn't see the point if they're stored away in a virtual list.
That's exactly what I came here to say - if this can do chip and PIN, then can't we assume chip and PIN is broken? Cloning a mag stripe is trivial, cloning chip and PIN should be as close to impossible as is feasible.
Well in defence of Chip and PIN (and I can't believe I'm saying this), the exploits listed above take advantage of "No Signature" provided. This is where the card just gives the basic CC information -- same as what is on the front. The bank can see this and banks only allow small transactions to go through with no signature.
In the demo they buy coffee, etc. with it. You couldn't buy something more expensive with it because the bank would deny the charge.
NFC is similar. You can use it for small transactions, but not larger ones.
From their paper:
"We have observed variations between countries. While
cards from Belgium and Estonia work like British cards,
we have tested cards from Switzerland and Germany whose
CVM lists specify either chip and signature or online PIN,
at least while used abroad. The attack described here is
not applicable to them. However, because UK point-of-sale
terminals do not support online PIN, a stolen card of such
a type could easily be used in the UK, by forging the
cardholder’s signature."
Their attack uses offline PIN mode. This is further expanded upon in section III.
The simplified attack is such: Basically the PIN signed block doesn't get sent to the bank. Verification is only between the terminal and the card, and the card (or rather MITM hardware) returns a "all is well, transaction approved" message when in fact no such thing happened. The terminal doesn't go online and talk to the bank and verify the signed PIN block.
This is essentially misconfiguration of the merchant terminal that ignores the result of the PIN verification.
This is similar to when you tap a card to buy something. If the merchant system doesn't go online to verify it -- which it often doesn't for small transactions (<$10) then you can game the system.
Do they hold a unique token though? Here in the UK, I've definitely gotten "loyalty" offers printed with my receipt even though I've only ever used my debit card there and not a store card.
Depending on the system they can still get an account/card number. They shouldn't be storing it but...
They can certainly get cardholder names and that sort of thing though. Maybe they've figured out a way to generate a unique token based only on non-secure data.
It is. It's easy to see there are ways that cards and terminals can be set up badly. It also looks like there are ways that both ends can be set up correctly to get around most of the problems.
And cloning is still almost impossible. The largest risk appears to be copying card details which allows the fraudster to use cards online or in countries that don't yet have Chip and PIN. Personally I would like to see separate account numbers and details on the Chip compared to the main card number - i.e. you could copy some of the chip details but this wouldn't actually let you get anywhere because the number would immediately be flagged if it was found anywhere else. You'd then have another card number (maybe the one actually printed on the card) that you could use online.
Or perhaps we could just scrap the whole card thing for non-physical use...
(And I'm saying this as a guy who makes some of his money at this game)
EMV has been out in the wild since the late 90s. So far all the attacks I've read about (and some of them are very serious attacks!) are to do with the protocol between card, terminal and acquirer. None that I'm aware of has yet exposed a private key, with the possible exception of one that required an electron microscope.
They are famous last words, but in this case they seem justified.
They could be doing something else funny, like providing their own credit card info to the merchant via the chip and then just billing your credit card in the background, like how Google Wallet works...
If you pay attention to the video, the card sends a notification to the phone with the transaction amount & merchant information.
Knowing the transaction amount is not possible from the "sender" portion of a magstripe. You're simply handing over a credit card number. The credit card amount is negotiated over the phone/internet between the bank & merchant.
This means that the Plastc card likely has one hardcoded number that switches payments serverside. Similar to the Wallaby card or Google Wallet card.
This works perfectly fine with chip & pin. The merchant charges the Plastc card which in turn forward the transaction to the correct bank.
From my careful reading of their released material this is how I think they are doing it:
They clone the magnetic stripe part of a chip and pin card and then have their own chip and pin layer that they put on top.
In the UK the only reason you can't use magnetic stripe is because no shops allow it (if they do then they are completely reliable for the authenticity of that transaction) - if you could add a chip and pin layer on top of mag strip data then this might work (would still require a lot of fiddling and as far as I can see transactions would have to go via platc like google wallet).
Plenty of shops still allow it in the UK (source: my chip broke), but hardly any employees know how to tell the till to swipe a card, so it's still difficult.
chip-and-PIN had a * with footnote at the bottom of the page:
"*Plastc card will be available to use across all participating locations and with all participating payments types following an over-the-air firmware update in 2015 to enable Chip and PIN and contactless payments."
Sounds like they are working on those partnerships.
That was my exact concern. Chip and PIN is kind of broken. Someone else linked to sources, so I won't. From what I remember researching about a year or two ago, was that one of the attacks on Chip and PIN was to generate fake transactions with the card. If you replay those transactions to a POS terminal in the same order, they will be valid. If you use the actual card before the captured transactions, it throws off the order, making the captured ones invalid. My guess is that this card is either taking advantage of this vulnerability, or making some kind of deal with individual banks.
> You'd need partnerships with banks to get a new secret the way Apple Pay does
If this is using the EMVCo tokenization stuff, which it is widely believed that Apple is using, I don't think they would have to partner with banks. They'd just have to register with a Token Service Provider.
One gap in my understanding is who exactly the Token Service Providers are. That article says the card networks are, but I guessed that the issuing banks were when I read the spec the first time. I'll read it again eventually, but if anyone actually knows, please share that knowledge.
I've been talking to Visa's tokenization team and several payments experts over the last few weeks about this exact topic. Currently, TSPs are only the card networks. In the future, the big banks and the payment processors will also take on TSP responsibility. It is unlikely that other actors will take on this role, given the requirements and players involved. The role that's more likely to allow for innovation is the Token Requestor role - which virtual wallet providers and e-commerce merchant / merchant processors can play a part. Even this role will require a decent amount of scrutiny in terms of the ability to identify the validity of a transaction, which is ranked on a 0-99 scale. Very interesting future for payments.
It's both. Issuing banks can generate the payment tokens, but often, the networks can "stand-in" for the issuer, and generate the token for them on their behalf (the same way that networks can stand-in and do authorization of payments on behalf of the issuer).
The way I can see this supporting Chip and PIN is if they find a way to act as an intermediate processor -
The chip contains an application for Plastc, this is (like Amex) always acquired by Plastc (and will probably then only be allowed at participating retailers). Part of the Issuer Private Data sent in the transaction is which one of your pre-registered accounts you wish to use. That account is then charged in the background. It would work a bit like a physical Paypal.
Because unless something major has changed, I can't see banks being keen to hand over private keys to third parties.
"Apple Pay" is not some new thing, it is EMV standard that is implemented by many "soft wallets" and this card will probably use this same standard to implement it
WRONG. It is part of the new EMVco standard, but has NOT been implemented anywhere but Apple Pay at this time. There was years of prep with the banks and Apple to get this initial implementation.
EMV® is a trademark dating back to 1999, and it refers to all of the specifications administered by EMVCo. The original EMV Specification (for chip-based payment instruments) is now in v4.3, with backwards-compatible EMV Next Generation Specifications in development. (http://www.emvco.com/about_emv.aspx)
EMV and EMVco are the same thing. It's the standard also implemented by RFID cards such as Mastercard PayPass and apps like Google Wallet.
EMV tokenisation is a new standard that EMVco published this year[0], which allows the person holding the card details to generate an entirely new set of card details which are essentially aliased to the original card details. The result of all this is that Apple don't have to store the original card details.
However, the standard can allow for other things as well - it can allow for users to generate a new token per-merchant which could be used online or in person. Or merchants could generate a new token from a customer's card that'll only be usable with that merchant for storage, thus standardising what the likes of Stripe do while implementing a significant amount of backwards compatibility with the existing system.
here's an explanation: *Plastc card will be available to use across all participating locations and with all participating payments types following an over-the-air firmware update in 2015 to enable Chip and PIN and contactless payments.
no sure why this is getting downvoted? It's right off of their website's fineprint... There was a time when an attempt to be helpful comment like this stayed at 0 in the worst case..
