
Apple Pay will support NFC tags - smoser
https://twitter.com/SteveMoser/status/1127949077432426496
======
smoser
From a user's point of view this seems great. No need to wait for congested
LTE to download an app in order to pay for a scooter or parking.

I'm curious about the security implications of this though. Seems like it
would be easy to make a NFC sticker "skimmer" that you sticker over the
official sticker.

~~~
heavymark
I assume will only work with approved partners not with any nfc sticker.

~~~
cryptonector
When the universe of approved partners is large enough, the security
considerations will be non-trivial.

~~~
dogma1138
Not really because the Apple Pay KYC process as well as the restrictions that
can be put into place would make this attack non viable.

If I skim your card in Chicago I can bill $2000 in a “coffee place” in Manila.

The same doesn’t work with NFC tags which not only can and likely will be
geofenced but there’s no details to skim and the payment goes through Apple
Pay not the credit card network which anyone can access.

~~~
closeparen
Apple Pay is not giving away any shared secrets over the air that are useful
to steal.

I think the attack would be to place a sticker that causes unsuspecting users
to pay you instead of the intended merchant.

~~~
dogma1138
Which doesn’t work because you’ll have to pass Apple KYC’s process, and it
doesn’t scale since the NFC payment is much more limited than your credit card
limit.

------
post_break
Can it write to NFC? That's the golden goose for me. I have to use an android
phone to write to NFC so my iPhone can read them and do things.

~~~
saagarjha
No, there exists no public API to do this.

------
fma
92% of people in China use WeChat pay as their primary payment method. Why
can't/doesn't the US adopt a QR code payment system?

[https://www.businessinsider.com/alipay-wechat-pay-china-
mobi...](https://www.businessinsider.com/alipay-wechat-pay-china-mobile-
payments-street-vendors-musicians-2018-5)

~~~
pertymcpert
Why not use NFC instead? You don't have to get your phone out and focus the
camera, just hold it near the sensor. Works with wearables too like Apple
Watch. NFC is just better.

~~~
shalmanese
The cost of adoption of payees is drastically lower with QR codes. Anyone who
wants to receive payments just has to print out a 10c laminated QR code and
they're on the network. This helped bootstrap the network and drive mass
adoption.

~~~
pertymcpert
The terminals are not expensive, maybe in developing countries but merchants
in the US can afford one easily.

The hot dog stand might not want it but they’re the rare case. In others NFC
is just better in every way.

------
theshrike79
This is essentially just a fancy QR code.

The tag contains the data who the payment is for and how much the payment is.
You could do the exact same thing with QR, but with more fussing and aiming
and worrying about the amount of light and whether the image is dirty or not.

~~~
ksec
>This is essentially just a fancy QR code.

But with much better UX and Security. QR Code does have its uses, but for many
things it is the wrong solution.

~~~
zulln
> Security

?

------
dstaley
Google actually demoed the same approach three years ago. [1] Hopefully now
that Apple is doing it, Android developers will finally implement it as well.

[1] [https://www.greenbot.com/article/3072233/zip-pow-google-
show...](https://www.greenbot.com/article/3072233/zip-pow-google-shows-off-
android-instant-apps-that-load-without-installation.html)

------
divan
I wonder if NFC chip implants people usually put in their hands can be
rewritten to work with this. That would be pretty dope to accept payments from
people just by asking them to tap your hand :)

~~~
leshokunin
Sure. It’s really just a url though. Nothing fancy going on: url says pay for
this item and call Apple Pay.

~~~
divan
Nice! If it's really just URL, that'll work for sure.

------
leshokunin
Interesting. I remember doing experiments with this on my Nokia C7 (one of
their last Symbian 3 phones) back in 2011. The vision of tapping nfc stickers
/ POS systems hasn’t really materialized since, but hopefully this helps. From
my discussions with various store owners, the adoption has been difficult
because changing your POS system is really painful. Hopefully this introduces
an option where the problem is sidestepped entirely.

~~~
viraptor
> The vision of tapping nfc stickers / POS systems hasn’t really materialized

In the US. Many other countries are using NFC payments on their phones for
years.

------
arrty88
Just in time for NYC subway electronic payments!

------
cwt137
What are some of the non-payment applications of this new found support?

~~~
penagwin
None, iPhones already can read (but not write due to lack of apple providing
an API for it) NFC tags. This announcement is that Apple Pay will support it
as well.

------
philo23
I think a more accurate title might be "Apple Pay announces support for NFC
tags", as NFC in general has been supported since the iPhone 7, but read-only.

~~~
dang
Ok, added. Thanks!

------
NikkiA
What is written: > Imagine tapping your phone on a scooter or a parking-meter
and paying for it without signing up or downloading an app first.

What I read:

> Imagine putting your phone down on the bar and being charged $1000 by some
> anonymous dude that hid a NFC tag there while noone was looking.

Basically, the entire planet is now 'fair game' as a skimmer.

~~~
Someone
As others said, chances are the phone will still show you a payment takes
place, allowing you to reject it, presumably while showing the amount to be
paid and the payee.

I would also guess that:

\- the first payment to a new payee to have a bit more UI.

\- the phone’s setting to contain settings such as max amount to be paid per
week or month, and max amount to be paid in one transaction.

\- those tags to have some cryptographic signature with Apple vetting those
wanting to get a key. A service like this can be highly successful if only a
limited number of companies (¿a few hundred?) can produce such tags.

\- Apple acting as an intermediary between iOS user and payee to protect their
user’s privacy.

It also is possible that Apple will withhold payment for a few days or even
weeks, to give time to detect and correct fraudulent transactions, and give
its customers time to challenge payments.

If such challenges are handled by always repaying the iOS user, this won’t be
more dangerous than allowing selected companies to withdraw money from your
bank account whenever they see fit, something that millions of people in the
world do because it is so convenient.

For example, if Londoners enable auto top up for their Oyster card
([https://oyster.tfl.gov.uk/oyster/link/sso/0002.do](https://oyster.tfl.gov.uk/oyster/link/sso/0002.do)),
transport for London could transfer £1000 from their bank account the next
day, even if they destroy that card seconds after signing up.

I would even expect that they can do that from any bank account even if it’s
owner hasn’t applied for auto top up, or even has an Oyster card. This system
is built on trust.

~~~
johnnycab
>if Londoners enable auto top up for their Oyster card, transport for London
could transfer £1000 from their bank account the next day, even if they
destroy that card seconds after signing up

This statement is sensationalist and not true, as the maximum load on a Oyster
Card is £90.

~~~
Someone
Yes, that £1000 is a bit sensationalist, but the limit on an Oyster card
doesn’t matter. Apart from a trust chain, there is no link between Oyster
cards and bank accounts. If they were fraudulent, they could withdraw money
from your bank account without topping up any card.

London transport must send thousands of payment requests to banks each day.
Banks will honor them without checking anything, as there’s no way (apart from
contacting the customer) for them to verify that London transport has the
right to request those transfers of money to them (“here’s the form this
customer signed last year” doesn’t say anything about whether the customer
withdrew permission later)

The contract between the bank and London Transport likely says something about
the amount of money they can request to be transferred to them each week,
month or year, _may_ limit the amount per item, and says the contract will end
if London Transport misuses the trust the banks give them, but that will be
about it.

