
Apple says Australia's banks pose a security threat to iPhones - rukuu001
http://www.afr.com/technology/apple-says-australias-banks-pose-a-security-threat-to-iphones-20160809-gqogpr
======
abalone
Some context: Australia is different because they regulate interchange fees.
Credit card interchange averages 0.5% / max 0.8% [1] whereas in the U.S. it's
in the range of 1.4-2.4% + 5-10 cents.[2] So that's part of the reason banks
are more aggressive with their negotiation. There's less of a pie to slice up.

Some more context.. This is a game with 3 main actors: banks, merchants and
consumers. Apple's strategy was a smart one vis-a-vis Bitcoin and other "low
fee" efforts. While many payment startups have attempted to woo merchants to
adopt them with the promise of a lower-fee system, Apple focused on wooing
consumers and banks by fully supporting the current, higher-fee interchange
system. Banks get their higher fees and consumers get their rewards. Merchants
get some security benefits (not as vulnerable to data breaches), but they
mainly face pressure from consumers to support it as an amenity. That's much
more successful than something that's price-friendly to merchants but offers
little advantage to consumers or banks.

Problem is in Australia, thanks to regulation there is no "high fee" system to
shore up for banks. So they are not as amenable to Apple Pay as in other
countries. They want their own system in place so they can get the full 0.5%
and, moreover, look for other ways to make money with it.

[1] [http://www.rba.gov.au/payments-and-infrastructure/review-
of-...](http://www.rba.gov.au/payments-and-infrastructure/review-of-card-
payments-regulation/q-and-a/card-payments-regulation-qa-conclusions-
paper.html)

[2] [https://usa.visa.com/dam/VCOM/download/merchants/Visa-USA-
In...](https://usa.visa.com/dam/VCOM/download/merchants/Visa-USA-Interchange-
Reimbursement-Fees-2015-April-18.pdf)

~~~
kalleboo
FWIW, the EU also caps interchange fees (0.3% for credit cards and to 0.2% for
debit cards) but that doesn't seem to have stopped Apple Pay adoption in the
UK.

~~~
abalone
That's a very good point. Some possible explanations (let me know what you
think):

1) Banks have healthier competition in the EU? They wouldn't be able to form a
cartel like they are trying in Australia.

2) Fraud liability is fully borne by the consumer in Europe, whereas
Australian banks still have to refund customers?

3) It's a very new change (December), whereas Australian banks have lived with
it for a decade or so.

Personally I think #1 is sufficient to explain it.

------
wtbob
> These banks want to maintain complete control over their customers.

And Apple want to maintain complete control over _their_ customers. No-one has
clean hands in this.

I trust that Apple's cage has much nicer gilding than the banks', but I'd
rather not live in a cage at all, thank you very much.

~~~
nostromo
That's a false equivalency. Apple being a closed platform is not an excuse to
allow the banks to form a cartel.

If you don't like Apple, you can use Android. But if every bank in Australia
decides what you can and can't do with your phone when making payments, where
will you go?

~~~
tomp
It's even worse. If Apple gets their way, ApplePay will be available to Apple
users only. If banks get their way, their payment system will be available to
everybody. It's quite clear to me which one is better...

~~~
paperpunk
Apple Pay doesn't stop other payment provisions from functioning. The same
contactless reader will read Apple Pay, Contactless cards, and Android Pay.

Of course Apple Pay will only be available to Apple users. That's literally
what Apple Pay is: contactless payment on an Apple device. There's no reason
for there to be Apple Pay on Android or another platform.

~~~
izacus
Which still means I'm not allowed to pay for anything on an Apple device
(since Apple hasn't and probably won't make it available locally), while an
application built by my bank would.

~~~
coldcode
I've worked for banks. I'd trust Apple to build a secure environment but not a
bank.

~~~
izacus
Which kinda misses my point. A "secure" Apple service only available in select
few countries with no ability to compete or implement your own is more useless
than theorycrafting your experiences from banks to other world banks.

------
jonhuber
As an American living in Australia, you quickly see the lack of innovation on
payments in the US. Contact-less payments have been prevalent since moving
here in 2012. The ability to pay bills via a common protocol is so nice, BPAY.
The ability to move money between people electronically without third parties
is also refreshing, direct bank transfers.

I have a Nexus 5 and use NFC payments via Google Pay and Bank Apps. In my
opinion, they both are terrible from ease of use standpoint. Tapping my card
on the terminal is far superior to opening an app and fumbling with it. As far
as Apple is concerned, I think they are completely in the wrong in not letting
other apps use NFC. Ideally, they win market share by creating the better
experience. The banks getting together to negotiate terms is ridiculous too.
In my opinion, an ideal outcome would be open NFC use on Apple devices. The
better experience wins. I do not think collectively negotiating terms does
anything for the consumer.

~~~
dpark
> _Ideally, they win market share by creating the better experience._

Right now Apple can't provide the better experience, because the banks in
question will not support their system. The banks don't want to support Apple
Pay, so Apple opening up NFC would just shift the balance of power entirely in
favor of the banks.

~~~
Veratyr
My impression is that the banks want the access to be bidirectional. If they
give access to Apple Pay, Apple should give them access to the NFC module.

That seems fair to me. Apple should have to compete instead of monopolising
its platform.

~~~
iamshs
No. That's not what the banks want. The banks want to form a cartel to
collectively negotiate with Apple, which effectively means no negotiation at
all. They want to strongarm Apple to open up its NFC module to individual
banking apps; they won't roll up Apple Pay.

~~~
Veratyr
I don't buy it. Apple is just painful to negotiate with and the banks want an
at least semi-even table to play at.

This conflict isn't unbalanced. The same access is being sought on both sides.
The banks want their ~10M ish iPhone users to have access to payments on their
phones. Apple wants the same ~10M ish users to have access to payments on
their phones. Both sides want something of equal value, it simply seems like
Apple wants it all and isn't willing to give anything up.

~~~
iamshs
The big 4 want to boycott Apple Pay, and want to strong arm others into
boycotting Apple Pay too. They want a mafia ruling, not amicable solution.

This is the submission:-
[http://registers.accc.gov.au/content/index.phtml/itemId/1197...](http://registers.accc.gov.au/content/index.phtml/itemId/1197444/fromItemId/278039/display/application)

~~~
Veratyr
Thank you, that actually backs up what I've been saying:

> competition: the applicants wish to ensure that the potential for
> competition and innovation in the emerging market for mobile payments is
> maintained. Therefore, they wish to collectively negotiate in response to
> any technological or other exclusivity that a Third Party Wallet Provider
> may seek to impose by:

> \- refusing, restricting or failing to provide software access to any
> payment functionality built into devices manufactured by or for, or
> operating systems developed or distributed by, the Third Party Wallet
> Provider, for example NFC functionality; and/or

> \- otherwise preventing or impeding card issuers from developing, deploying
> or participating in any other mobile payment or mobile wallet services or
> Third Party Wallets on any mobile devices or platforms;

They're mainly concerned with fraud standards and making sure nobody (Apple)
tries to limit access to their platform.

As for your boycotting and "strong arm" claims, this document shows that scope
is significantly narrower than you're implying:

> Accordingly, the applicants seek authorisation to: [...]

> enter into a limited form of collective boycott where the applicants will
> agree not to negotiate with the relevant Third Party Wallet Provider on an
> individual basis while collective negotiations with that Third Party Wallet
> Provider are ongoing.

The "boycott" in this document is referring solely to individual negotiation.
i.e. Bank1 can't go behind the other banks' back and sweeten the deal while
they're negotiating as a group.

------
sjwright
An important thing to realise about the Australian banking market is that
we're already a world leader in the adoption of contactless payments using our
credit cards. (And unlike the US, our floor limit is $100, which covers almost
all transactions. When exceeded, most terminals just prompt for your PIN.)

I'm sure Apple Pay is great, but with an entire continent already familiar
with tapping their credit card, tapping a phone doesn't seem like much of an
improvement.

~~~
cletus
I'm Australian but I live in the US now. I go back fairly often. Last year I
tried out PayPass for the first time.

Contactless payments as implemented in Australia is (IMHO) a disaster. Here
are the problems:

\- No opt out. You couldn't get an ATM card without it. This led to various
guides on drilling a hole in the RF antenna to disable it. Last I heard the
ACCC was intervening to force the big banks to give consumers an opt out. Not
sure if this has happened yet.

\- Report your card stolen and the thief can still keep using PayPass. Why is
this even possible in the modern age of the Internet?

\- The burden of proof on unauthorized transactions is on the consumer. I seem
to recall reading something from the T&Cs that claimed you could be charged a
fee for a "false" (ie denied) claim and you could only claim unauthorized
transactions once or twice a year.

\- In the case of disputed transactions the merchant is on the hook for it
leading some to not accept it.

Basically contactless payments in Australia are an effort by the big banks to
not be responsible for fraud. There's no real benefit to consumers.

~~~
cynix
> The burden of proof on unauthorized transactions is on the consumer.

The burden of proof for unauthorised transactions is _never_ on the consumer.

> In the case of disputed transactions the merchant is on the hook

It is always the merchant who's on the hook for disputed transactions. The
banks/issuer is _never_ on the hook.

Contactless payment is literally just a more convenient version of
magnetic/chip payment, with everything else being the same.

~~~
rjvs
> The burden of proof for unauthorised transactions is _never_ on the
> consumer.

It's true that the merchant has to prove that the consumer made the purchase.
However, the burden is still on the consumer, since they still have to service
the transaction until the dispute process is resolved.

------
darawk
Apple couldn't really be more disingenuous here. This has nothing to do with
user security and everything to do with squelching competition. Competition
_for_ them, not for the banks. The banks just want to compete and Apple
doesn't want to let them.

This is exactly why I do not own an iPhone.

~~~
sjwright
Unless you know what the banks specifically want changed in the deal, you
can't substantiate that assertion. Apple has undoubtedly put a lot of time and
money into validating and auditing the security around Apple Pay. It's a
solution that doesn't need to be modified for the Australian market: one major
Aussie bank has fully adopted Apple Pay already.

There's no way Apple are going to allow that effort to be trashed by a few
banks in a small overseas market. (It's also highly probable that the banks
want to be able to implement processes that bypass the consumer friendly
aspects of Apple Pay, like its strong privacy controls.)

~~~
viraptor
> small overseas market

That depends really. While Australia is a relatively small market, _everyone_
here pays using paywave (contactless payments via credit/debit cards, 69%
owned and 43% used in 2013!), and if a shop has a card terminal they support
it. If it could be enabled on iPhones, they would get instant adoption by lots
of people.

I can't see any specific numbers to compare right now, but I'd be interested
to see some contactless payment comparison between the US and Oz for 2015.

~~~
eon1
Why do you think people would use their iPhones over the cards they already
use, though? That's going backwards in terms of efficiency for the user, and
it's not like the majority of people care about security.

~~~
manicdee
We already have our phone in our hands.

The efficiency of Apple Pay with a phone already in your hand over cards in a
wallet in your pocket is night and day.

~~~
eon1
> We already have our phones in our hands.

Huh? Phone in hand while scanning stuff at the self-serve checkout? The only
time I can think of myself using the phone while buying something is maybe at
a convenience store while I'm _on_ the phone, which is definitely not handy..
"Just hold on for a sec mate, I'm about to tap you.."

> night and day

Nah. NFC vs magnetic was night and day. One form of swipe over another, no
way. Especially not if I need to fiddle with a fingerprint scan or a non-
tactile interface.

------
tomlock
I'm an Aussie and use one of the big bank's apps on a s6 edge (the edge is
weird and I hate it). Contactless payment already works great in exactly the
way that a credit card does as a store terminal. Anyone know if Samsung gets a
cut?

~~~
smitec
Not sure which bank you are with but mine seems to have some exclusivity deal
with samsung phones which it hides under the guise of 'other phones are not
secure enough to do contactless payments'. Not a hard fact but it would also
lead me to believe they get some sort of kick back.

~~~
viraptor
Samsung phones have a secure element, which means your NFC transactions happen
a bit outside of the normal app's control. There's some extra information
here: [http://www.sequent.com/secure-elements-vs-cloud-based-hce-
se...](http://www.sequent.com/secure-elements-vs-cloud-based-hce-secure-nfc-
mobile-payments/)

It's true that they provide security, but then again, other banks are happy to
use other techniques (commbank's app does nfc payments on pretty much anything
with NFC - nexus 5 included)

------
tetrep
Why would user security be compromised by NFC access any more than WiFi access
or Bluetooth access? Or does Apple not provide APIs at the same abstraction
level for WiFi/Bluetooth that the banks are requesting for NFC?

~~~
techdragon
Apple does not provide developers with access to the NFC hardware and they
also do not provide direct access to Bluetooth either. Using these is limited
to being able to make use of IOS services which make use of these hardware
capabilities such as Apple Pay, Bluetooth audio outputs, etc...

~~~
drakenot
This is true of NFC but Bluetooth capabilities are much more open. I've
personally used Core Bluetooth to connect and communicate with arbitrary
devices and communicate over custom protocols.

~~~
techdragon
I was trying a little to hard to be succinct, I've also used CoreBluetooth, I
was lumping it into an awfully generic group by categorising that as part of
the "services" provided by iOS, but I was thinking from the point of view that
all the things the iOS frameworks provide are the ones Apple has _allowed_
them to provide on iOS. Effectively the framework is a way to access the
limited set of allowed services, as opposed to direct hardware access.
Otherwise we could do much more interesting things with Bluetooth such as
implement new Bluetooth profiles and create things like apps where the iPhone
functioned as a Bluetooth keyboard for another device.

~~~
0x0
This iOS app appears to be able to advertise custom bluetooth profiles,
though? [https://itunes.apple.com/us/app/lightblue-explorer-
bluetooth...](https://itunes.apple.com/us/app/lightblue-explorer-
bluetooth/id557428110?mt=8)

------
sien
It's worth noting that Android Pay has launched with 28 banks in Australia.

[http://www.news.com.au/technology/google-launches-android-
pa...](http://www.news.com.au/technology/google-launches-android-pay-in-
australia-with-more-banks-than-apple-or-samsung/news-
story/b717e8bc8cd651998920c34ffc1b926d)

It's also worth noting that Australia has 4 big banks that have over 80% of
the Australian market. With 28 the proportion of the market covered is even
higher.

Google were clearly prepared to make deals that Apple are not.

------
ausvisaissues
> Providing simple access to the NFC antenna by banking applications would
> fundamentally diminish the high level of security Apple aims to have __on
> our devices. __

This is what I hate about Apple. I am fairly certain that the customers bought
these devices -- so isn 't it their customers' devices?

Apple wants to sell iPhones, yet keep complete control over it. Simple things
such as disabling updates is not possible -- because it is not in Apple's
interest.

They completely redefine what ownership means -- you "own" it, but Apple
"controls" it.

~~~
7Z7
> Simple things such as disabling updates is not possible -- because it is not
> in Apple's interest.

That seems disingenuous. Yes there is no explicit switch that prevents the
user being informed about updates ever again, but there are no forced updates
that I'm aware of. If you don't want to update, don't.

~~~
ausvisaissues
It is not possible to block downloads of updates or to switch of daily update
reminders on new iOS devices. This is a well known problem:
[http://osxdaily.com/2016/01/04/stop-ios-software-update-
noti...](http://osxdaily.com/2016/01/04/stop-ios-software-update-
notification/)

The only option is to avoid Wifi or configure your wifi router to block Apple.

------
tomelders
I think banking is a logical sector for tech firms to move into. Apple,
Google, Amazon. They build platforms, and they enhance those platforms with
services that they charge for.

Day to day banking is the sort of service that would really enhance their
platforms, and would also have a massive side benefit of cutting out a
notoriously difficult middle man that no one really likes anyway.

Take Apple as a thought experiment. The banks have already seeded Apple's
hypothetical bank will all of their customers via Apple pay. Here in the UK, I
can change bank account at the push of a button and everything is taken care
of for me in just a couple of days. That's the law and there's nothing the
banks can do to stop me. If Apple one day gave me a "Would you like to move
your bank account to Apple" button, I'd press it in a flash, and feel a great
sense of pleasure as I stuck it to the established British banks. With Apple's
huge stock piles of cash, I think a takeover of an existing bank would not be
unfeasible.

In addition, should tech firms start setting up or buying existing banks,
there's plenty of legislation in place to ensure they play fair with each
other.

It's pie in the sky thinking, but interesting to think about none the less.

~~~
peyton
Interesting idea. I'm curious what the regulatory landscape is like. Is it
feasible to run a bank off of a giant multinational tech company?

I remember back in the day Apple needed to charge for iPod Touch software
updates for some sort of accounting purpose.

~~~
tomelders
I wasnt suggesting they offer those services for free. If they were to
consider this, I imagine buying an existing bank would be the first thing they
would look at. There are a number of banks out there that very few people have
heared of. It wouldn't have to be a Barclays or a HSBC, just someone with a
banking license or the opportunity to acquire one in the relevant territories.
Also, the Financial Conduct Authority here has a strong appetite for being
progressive and trying out new ideas. Other countries also take a lead from
what the FCA says is OK or not.

------
forgottenpass
Confounding security and business policies is setting a bad precedent for the
security of anyone that isn't able to throw their weight around in
negotiations as well as Apple can.

~~~
zepto
They aren't.

