Mobile phone e-wallets get closer to reality

Visa to roll out mobile payment system that lets people add a microSD card to their smartphones to make payments. It touts the system as safer than using a plain old credit card.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
6 min read
Phones with a special microSD memory card and Visa's PayWave mobile app can be used to make transactions by holding the device near a reader.
Phones with a special microSD memory card and Visa's PayWave mobile app can be used to make transactions by holding the device near a reader. Elinor Mills/CNET

BARCELONA, Spain--Later this year you'll be able to pay for clothes, taxi fare, and dinner with your mobile phone and leave your credit cards and cash at home.

Visa is planning a commercial rollout in the U.S. in the second half of this year of a service for allowing allow people to turn their existing smartphones into electronic wallets. It uses Near Field Communication (NFC) short-range wireless technology and includes real-time anti-fraud alerts and other features designed to protect consumers from fraud, Bill Gajda, global head of Visa Mobile, told CNET in an interview at Mobile World Congress 2011 here this week. Visa was demonstrating its PayWave mobile payment system at the show.

Despite the promise of convenience and ease of use, the e-wallet industry has gotten off to a sluggish start as mobile handset makers have dragged their feet on adopting NFC technology and retailers saw no need to install mobile payment readers if the phones weren't yet equipped. In 2008, the GSMA, a trade association representing the Global System for Mobile Communications industry, called on manufacturers to embed NFC chips in phones by late 2009 and three years later they are trickling out.

Rather than wait, Visa is offering a way to use existing smartphones by inserting a microSD (Secure Digital) removable memory card into the SD slots in the back of phones and, for the iPhone, in a special plastic skin. The card works in conjunction with Visa's PayWave downloadable app. Wells Fargo, Chase, U.S. Bank, and Bank of America have trials going with the technology in the U.S. (Another interim solution has been stickers affixed to mobile devices that allow for payments.)

"People don't want to wait two years for NFC-enabled phones to come out or to switch phones," to get one with an NFC chip sooner, Gajda said. "You can make payments today on the iPhone 4."

The microSD memory card fits in to a slot in the back of the phone. In the iPhone it fits into a slot in a special skin.
The microSD memory card fits into a slot in the back of the phone. In the iPhone it fits into a slot in a special skin. Elinor Mills/CNET

The terminal reader device is based on standardized technology so that it can work with Visa's PayWave system as well as MasterCard's PayPass and Express Pay from American Express. At this time, only Visa is offering an external memory card solution so phones that don't have NFC chips yet can be used--which is key to jumpstarting user adoption, according to Gajda.

"NFC technology will take off in 2011," he predicted. "The move from leather wallets to mobile wallets will come this year."

In trials, people are using their smartphones to pay fares in 10,000 taxi cabs and CVS stores in New York City and McDonalds and Whole Foods in San Francisco, and to ride public transit in New York and Los Angeles. (Search for cities and participating merchants here.)

Mobile payments are being made on iPhone 3 and 4, various BlackBerry models, and Samsung's Android-based Galaxy S II (displayed at Mobile World Congress 2011). NFC chips also could make their way into Windows-based phones made by Nokia, according to the NFC Times.

Google added some NFC capabilities to Android in an update earlier this year and reportedly is working on a mobile wallet code-named "Cream" that will be integrated into NFC-enabled Androids, while the Nexus S has NFC technology but does not support payments.

Meanwhile, Apple is rumored to be looking into adding NFC chips to a future version of the iPhone, according to reports.

You click to open the app and then slide with your finger to activate the antenna before holding the phone in front of a reader to carry out the transaction.
You click to open the app and then slide with your finger to activate the antenna before holding the phone in front of a reader to carry out the transaction. Elinor Mills/CNET

NFC mobile payment systems have made some inroads in other countries, primarily Japan and Korea, while Brazil, India, and other countries will be adopting them over the next few years, Gajda said. Visa Europe has an SDcard solution trial for iPhone users in Turkey and is launching it in Europe too.

"We see contactless (mobile payments) as a leapfrog technology for many parts of the world," Gajda said.

With PayWave, the mobile payments can be charged to a user's credit card or debited from a bank account or a pre-paid account. Banks and retailers can also deliver coupons and other products and services to users via the system.

Here's how it works. A bank or other financial institution will distribute the microSD cards to customers who install them in an SD slot in the back of the phone under the cover. The customers then download the PayWave app to their smartphones.

When the customers see a terminal reader that accepts mobile payments, they open the app and click a button to start a transaction. On the iPhone, a swipe of a finger on a slider button activates the radio antenna. The customers then position the back of the phone directly in front of the reader to complete the transaction.

Safer than plastic?
But is it any safer than using a plain old credit card? Yes, Visa and others say. Anyone can swipe a credit card or steal the credit card number off a charge slip. Credit cards can also be cloned and skimming devices and videocameras hidden in ATMs and gas station terminals can snatch both the credit card number and the PIN.

The PayWave system has a number of features to protect against fraud and abuse. For instance, the system monitors activity in real time and can alert a customer within minutes of a suspicious transaction. It looks for anomalies in account activity and analyzes transaction size, merchant, and other information and then compares that with prior account activity and other transactions taking place on the Visa network.

The NFC chip has a secure component that generates a unique authentication code for each transaction, whereas the data on a magnetic stripe on a credit card doesn't change. The phone must be 2 to 4 centimeters from the reader to work, making data interception extremely difficult, Visa says. Also, the radio transmitter turns off after about eight seconds. And password-protected phones add an additional layer of protection for lost or stolen devices. (In the Visa Europe implementation a user is prompted for a password to use the PayWave app.)

Mobile security expert Collin Mulliner had done research on ways to attack NFC mobile phones in 2008, (PDF) but after talking to Visa and its microSD development partner at the show, he said the theoretical attacks he disclosed previously would not work on Visa's current implementation.

However, Mulliner wondered if it would be possible for someone to create a Trojan horse that, once lodged inside a phone via a malicious Web link or download, could hijack transactions. Such malware could conceivably create an encrypted tunnel so that when the phone is used for a transaction, the attacker is actually using the process to make a different transaction elsewhere at the same time. This scenario would not need an attacker to build a fake ATM terminal, as other NFC attacks would require, Mulliner said.

"It seems fairly secure," he said of Visa's implementation, but said he would need to do tests on a PayWave-enabled phone before deciding how secure he thinks it really is.

In response to security concerns, Deepak Jain, chief executive of microSD Visa technology partner DeviceFidelity, said attacks would be unlikely and that there are numerous barriers in place to prevent them. The digital keys used in the authentication system are encrypted on the chip and neither the three-digit security code on the back of credit cards nor the cardholder name are stored on the microSD card. Unauthorized apps can not communicate with the device, and no digital keys are stored in the app--they come from the Visa network, he said.

The microSD card PayWave systems "are much more secure (than credit cards) because if you lose the microsSD there is no way to find your credit card number unless you create a sophisticated attack," Jain said.

Karsten Nohl, who has exposed security weaknesses in RFID (radio-frequency identification) wireless smart card chips and mobile phones, said in an e-mail when asked for comment: "NFC is just another name for RFID and it carries the same promises, opportunities, and weaknesses as any other RFID incarnation...The protocol and encryption used--and whether they protect from common threats--is pretty much up to the solution architect. It's like the Internet: everybody knows it's an insecure channel; but several evolutionary technology waves have led to secure transaction protocols over the Internet. Let's hope NFC takes fewer iterations and years to become mature."

A host of companies were showing off NFC-related technologies at Mobile World Congress 2011.
A host of companies showed off NFC-related technologies at Mobile World Congress 2011 in Barcelona, Spain, this week. Stephen Shankland/CNET