NFC a bargaining chip for Apple, Australian banks
S everal of Australia's leading banks have attempted to collectively bargain with Apple Inc. At issue is access to the near field communication (NFC) chip inside iPhones, currently the exclusive province of Apple Pay. Access to the chip would enable banks to provide their own payment and banking apps to iPhone carrying customers, as they do with Android users.
The banking collective initially consisted of Commonwealth Bank of Australia ABN, National Australia Bank, Westpac Banking Corp., and Australia and New Zealand Banking Group Ltd. (ANZ). Their efforts to open negotiations with Apple have met with a series of challenges, beginning with the internal defection of one of their members that shocked the banking community. The initiative remains on hold, pending further review by regulatory authorities and response from Apple, which has been silent throughout the proceedings.
Internal, external challenges
The Australian Competition and Consumer Commission (ACCC), an independent authority tasked with enforcing Australia's Competition and Consumer Act 2010, oversees a range of issues related to fair trade and consumer education. Following are ACCC's stated priorities:
- Maintain and promote competition and remedy market failure
- Protect the interests and safety of consumers and support fair trading in markets
- Promote the economically efficient operation of, use of and investment in monopoly infrastructure
- Increase engagement with the broad range of groups affected by commission actions
The four banks jointly appealed to the ACCC for permission to begin talks with Apple. The ACCC was reviewing the request when ANZ opted to pursue its own deal with the tech giant, debuting in April 2016 as the first Australian bank to offer Apple Pay.
The revamped collective, joined by Bendigo and Adelaide Bank and a growing number of card issuing banks, have requested ACCC authorization to bargain with Apple and boycott Apple Pay, which they claim unfairly restricts consumer choice and third-party wallet providers. The ACCC initially declined the application, stating that it needs more time to review its potential impact on the Australian payments ecosystem.
"[Given] the complexity of the issues and the limited time available, the ACCC has decided not to grant interim authorisation at this time," said ACCC Chairman Rod Sims in his Aug. 19, 2016 statement to the press. "The ACCC requires more time to consult and consider the views of industry, consumers, and other interested parties."
Sims noted the ACCC authorization process can take up to six months, as members consider a petition's impact on market competition, public benefits and possible harm to applicants and other parties. "We expect to release a draft decision in October 2016," he said, adding that the ACCC's decision not to grant immediate authorization is not indicative of any future outcome.
Impact on local, global communities
Payments analysts are questioning why Apple has locked down its NFC chip while making Bluetooth and Wi-Fi freely available to third party application providers. Some say the policy is also out of touch with a global trend toward interoperability and could broadly impact a number of payments industry stakeholders. What began as a simple challenge to Apple Pay has escalated into a series of debates about the role of banks, telco's and equipment manufacturers in the mobile wallet sphere.
"This all started when major Australian banks contested the walled garden of Apple Pay," said Joe Cincotta, Managing Director at Sydney-based Thinking Group and educator at Thinking School, an ecosystem for leading organizations and start-ups whose clients include American Express Co., Westpac Group and Facebook. "Will the ACCC step in? Probably. Will Apple yield to the pressure? Probably not."
Cincotta noted Apple's two-fold threat to banks and telcos:
- Apple leverages the secure element in its hardware, mobile wallet app and secure cloud services to control payment transaction flows, effectively eliminating the need for Trusted Service Managers (TSMs) and thereby cutting telco's out of mobile wallet transactions.
- Apple's control of transaction flows may also diminish the banks' share of transaction fee revenue, compared to other contactless payment methods such as plastic cards with embedded EMV (Europay, Mastercard and Visa) chips.
"Banks trying to launch their own wallets is not really the issue; it's banks being able to choose another conduit (Trusted Service Manager) for their wallets to use – thereby making the Apple hardware in their devices (Secure Element) able to be part of a completely different secure flow," Cincotta stated. "This would cut Apple out of the financial ecosystem associated with their technology."
Cincotta expects Apple to fight to maintain control of transaction flows, especially in Australia, where 65 percent of consumers have smart phones and over a million contactless transactions happen every day. These fees would be worth hundreds of millions over the next decade, he said.
"At a superficial level, it is a vote of 'no confidence' by Apple in third parties like banks developing mobile wallet solutions," he added. "If Apple is trying to get people comfortable with a big behavior change (using contactless payments from their phone) then fragmenting that experience with a zillion wallet apps would be a disaster."
Walgreens rewards Android, Apple users
Tuesday, August 23, 2016
D eerfield, Ill-based drugstore chain Walgreens recently embedded Walgreens Balance Rewards into Android Pay and Apple Pay schemes. The mobile loyalty schemes facilitate two-tap checkouts at 8,173 store locations, giving an estimated 85 million active Balance Rewards members an easy, secure and private way to earn and use points.
Walgreens is a division of Walgreens Boots Alliance Inc., a holding company focused on health and wellness. Its ecommerce footprint includes Walgreens.com, drugstore.com, Beauty.com, SkinStore.com and VisionDirect.com. Walgreens launched its Apple Pay and Android Pay solutions in November 2015 and August 2016, respectively. Customers checking out with Apple and Android phones will no longer need to scan or enter Balance Rewards card information to earn the same benefits offered by credit and debit cards, the company stated.
Abhi Dhar, Walgreens Senior Vice President and Chief Information Officer, said Walgreens is continually looking for ways to use innovative, forward-thinking technologies to enhance the customer experience. “We’re proud to have been the first retailer to integrate our loyalty program with the two leading mobile payment providers and to give our customers another channel for greater access, choice and convenience with our loyalty program,” he said.
Tap twice and done
Walgreens stated that Android Pay and Apple Pay apps can securely store Balance Reward cards; the first tap of a smartphone will activate a customer’s unique reward card information and balances in real time. The second tap will then initiate payment using an embedded credit or debit card product within the payment app.
The Apple version of Walgreens mobile loyalty solution, with biometric and geolocation capabilities, works on iOS versions 9 and higher on iPhone 6, iPhone 6 Plus, iPhone 6S, iPhone 6S Plus and Apple Watch.
Users can place their finger on Touch ID while tapping their iPhones near a contactless reader to activate their rewards account information. Apple Watch users can double-click a side button, select their Balance Rewards card, and display the Apple Watch face to the reader. An optional automatic detection setting will alert the iPhone when it enters a Walgreens store, where it will automatically bring up the Balance Reward card at checkout.
Android Pay users can also hold their Android devices near a PIN pad, first to display their reward card information, and then to process their payment using a card embedded in the Android Pay app. Android devices with fingerprint scanners can be used to unlock and authorize Android Pay and Samsung Pay apps. Android Pay supports near field communication-enabled phones running Android 4.4 KitKat and higher. The free app is available at the Google Play Store.
Google Senior Director of Product Management Pali Bhat said the Android Pay solution is designed to make in-store payments simpler by giving customers instant, frictionless access to their loyalty cards at checkout, giving Walgreens customers the ability to “speed through the entire checkout process in as few as two taps with their Android phones.”
Mass mobile tech migration
While being one of the first retailers to directly integrate its reward program into Apple Pay and Android Pay may give Walgreens a competitive advantage and bragging rights, some users would like to see an even smoother, single-click checkout process. As Blogger Steve Dent wrote in Engadget, “Now, if they could just get it down to one tap, all of our first-world payment issues will be sorted.”
Walgreens supports a diversified array of payment methods, including credit, debit, EMV (Europay, Mastercard and Visa) and other mobile wallets, company representatives noted. Payments analysts expect mobile payments and mobile-enabled loyalty programs to eventually overtake traditional plastic credit card usage in the United States and in Western European countries, as retailers become accustomed to people transacting with smartphones at the POS.
Peter Rojas, co-founder of technology blogs Engadget and Gizmodo, said, “I think the biggest change, and one that we’re already starting to see take shape, is that globally the majority of Internet usage will be done via a mobile device and for most people the mobile web will be their primary – if not their only – way of experiencing the Internet.”
Security breaches rise in frequency, cost
Friday, August 19, 2016
P ayments analysts have noted similarities between Bitfinex and Mt. Gox security breaches. Both incidents involved leading bitcoin exchanges with inherent structural vulnerabilities. Toyko-based Mt. Gox, established in 2010, suffered a series of hacks to its Internet-connected hot wallet that went undetected for several years, resulting in a loss of approximately 850,000 bitcoins valued at $450 million. The company subsequently filed for bankruptcy protection in 2014.
Toronto-based Bitfinex disclosed a $69-million-dollar security breach on Aug. 2, 2016, followed by continuous updates on the ongoing investigation and remediation efforts. The company has engaged blockchain forensics firm Ledger Labs Inc. to investigate the occurrence and recommend security measures. Ledger Labs will also audit the company's balance sheet, including cryptocurrency and fiat asset resources, Bitfinex stated.
Early in the investigation, Ledger Labs identified weaknesses in backend architecture at Bitfinex, according to company sources. Bitfinex operations personnel have already implemented many of Ledger Labs' recommendations and teams from both companies are evaluating data from the BitGo wallet alert system to determine why it failed to react during the heist.
"We have currently suspended use of the BitGo segregated multi-signature wallet solution and have re-implemented robust and safe multi-signature cold storage procedures, with minimal coins exposed on our hot wallet," Bitfinex stated. "We are reassessing our storage options, both internally and with potential third party multi-sig vendors."
Plugging holes, restoring trust
Bitfinex management is currently exploring ways to compensate customers for losses resulting from the security breach. The company is "committed to making our customers whole," and to building a more secure infrastructure to prevent similar attacks. Representatives acknowledged these efforts will take time and money, and thanked customers who continue to trade on their platform for helping to rebuild their brand.
"The biggest issue with bitcoin trading is in the unregulated landscape that enables bitcoin exchanges and resellers to store customer credentials," said a source familiar with the matter. "If you buy bitcoins and the exchange holding your unique key gets hacked, you will lose your bitcoins. No one should be able to buy bitcoins without being able to control their own keys."
Evolving threat landscape
Cybercriminals are increasingly attacking large cryptocurrency exchanges and enterprise-scale merchant environments with multiple outlets. The recent attack at HEI Hospitality LLC, disclosed Aug. 15, 2016, involved malware that infected 20 properties, including Starwood, Marriott, Hyatt and InterContinental hotels between March 2015 and June 2016, according to the HEI website.
Security analysts have speculated that the malware was capable of extracting payment data in real time, including names, account numbers, expiration dates and verification codes; HEI stated it does not store credit card data. The company posted a list of affected properties, frequently asked questions (FAQ) and a toll free support number for affected customers on its website.
"Unfortunately, like many other organizations, we recently became aware that several of our properties may have been the victim of a security incident that could have affected the payment card information of certain individuals who used payment cards at point-of-sale terminals, such as food and beverage outlets, at some of our properties," HEI stated. "We are pleased to report that the incident has now been contained and individuals can safely use payment cards at all of our properties."
Employee fraud is also a prevalent threat to enterprise-scale organizations worldwide. Sage Group, a global provider of software, accounting, asset management and payments services headquartered in the United Kingdom with U.S. offices in Atlanta, recently reported a security breach caused by an unauthorized log-in. The incident may affect up to 300 British customers.
Recommended remedial actions
In a blog post titled "What do you do after a security breach?" http://www.sage.com/us/Sage-Advice/Articles/18366/2015/8/20/What-do-you-do-after-a-security-breach , Sage noted the rising costs and frequency of data breaches and recommended the following remedial approach:
- Get to work immediately: Waiting to follow mandated procedures may result in further damages and penalties.
- Form a team to address the issue: A cross-functional team, consisting of IT experts, the chief financial officer, public relations departments, third-party specialists and other concerned stakeholders can help companies effectively manage multiple issues.
- Investigate the cause of the breach: Determining the root cause of the issue can help companies respond appropriately.
- Brainstorm and implement solutions: Beyond just patching and fixing, it is important to think ahead and implement preventive measures.
- Follow mandated notifications: Regulatory environments vary across industries and states. Companies need to follow local and federal laws for informing customers and cooperating with law enforcement.
- Be thorough, honest, and educational when you communicate: "Whether the data breach was unavoidable or due to insufficient security measures and human error, be honest with your customers in that you tell them where the breach originated and indicate the steps you have taken," the authors wrote. "You can reassure them by detailing how you're addressing the issue to prevent it from happening again."
CVS Pay joins mobile payment roster
Wednesday, August 17, 2016
T he recent implosion of the automated clearing house-based CurrentC app produced a series of aftershocks in the app market; former members of Merchant Customer Exchange, which were backing CurrentC, went their separate ways, introducing various mobile commerce schemes designed to reduce costs and improve efficiencies.
CVS Pay, the latest entrant, launched Aug. 9, 2016, by Woonsocket, R.I.-based CVS Health, is in Version 2.7.6 of the official CVS Pharmacy App and is available in the Google Play and Apple App stores. Early pilots took place in New York, New Jersey, Pennsylvania and Delaware.
How it works
CVS Pay assigns unique barcodes for users to present to CVS store associates. "The associate will scan the barcode, ring up the purchases, let the customer choose a payment method from those stored in the app and then process the payment," company representatives stated. "All verifications for prescriptions and payment like name/birthdate, signature, and PIN take place directly in the app, so transactions are hassle free."
Brian Tilzer, Senior Vice President and Chief Digital Officer at CVS described the mobile app as part of the company's broader effort to use digital tools to improve the customer experience. "We've been excited by the level of customer adoption of these digital solutions, and we will continue our quick pace of innovation and deployment to make our customers' healthcare experience even easier," he said.
CVS Pay, available on iOS and Android devices, supports Mastercard, Discover Financial Services, Visa Inc. and American Express Co. payment card brands; types of cards accepted include credit and debit, health savings account, and flexible spending account cards, CVS noted. The app has received mixed reviews from early adopters, who have sung its praises and identified areas in need of improvement.
Apple user reviews
"CVS has made no real attempt to use current mobile technology," wrote Apple App Store reviewer bindigok. "I do NOT want CVS to store my [financial] information ‒ that's the appeal of Apple Pay; I don't have to give my financial information to every retailer and open myself up to data attacks (see Target 2 years ago)."
Reviewer KendraButt gave the app a five-star rating and hashtags #winning and #canimarrythisapp. "I love the new pick up prescriptions feature!" she wrote. "Makes it so much easier and faster for large families. I don't have to sit there and think when everybody's birthdays are. LOL."
"This app promises a great convenience: the ability to manage prescriptions online, and to conveniently deal … enter prescription info by scanning barcodes with your smartphone camera," noted reviewer Dutes Kutman, who had to re-enter his personal information several times and discovered bugs in the way the app processed refill orders and shared information with pharmacists. "It would be a great convenience if it worked," he stated.
Android user reviews
Android app reviewer Jeri England gave CVS Pay five stars for ease of use. "Takes a little time to set everything up, but once that is done you will smile all the way to the pharmacy because of the time you saved," she wrote. "This app puts everything @ your fingertips 24/7."
Reviewer dougandsuzy gave the app one star, citing bugs in the software that interfered with rewards earnings and prescription pick-up. "Claimed 'prescription was linked to another account.' I don't have another CVS account," the reviewer wrote. "I was supposed to receive extra reward dollars for installing app, but that never happened."
Five-star reviewer Denise Gardner-Gomes praised the app's enhanced efficiencies. "My prescriptions are always done before promised," she wrote. "Whenever there is any question, I get a call from the pharmacist to discuss, so I don't leave home unprepared for the day."
End-to-end, mobile payment solution
CVS is positioning CVS Pay as a "new, end-to-end mobile payment solution that integrates payment, prescription pickup and the ExtraCare loyalty program all in one quick scan at checkout." The solution's digital barcode technology eliminates the need for enrolled consumers to present ExtraCare key fobs and mag stripe cards at checkout to qualify for in-store promotions and discounts.
CVS anticipates that when CVS Pay is fully deployed, it will provide a simple, private, end-to-end pharmacy experience that facilitates rewards and processes payments in one simple scan. Customers can present barcodes at checkout or recite pick-up numbers at drive-up pharmacy windows. To enhance security and comply with the Payment Card Industry Data Security Standard, sensitive personal data such as names, birthdays, signatures and PINs are stored in the app and out of scope of the POS, the company stated.
Oracle fails to predict, prevent POS breach
Friday, August 12, 2016
F ollowing a punishing wave of attacks against POS systems, forensic experts are working with merchants and technology companies to patch vulnerabilities and reach out to millions of potentially affected business owners and consumers. Security analysts have stated that Oracle Corp.'s Micros POS systems, among others, may have become central access points for cybercriminals in these attacks.
The first sign of trouble surfaced Aug. 8, 2016, when Micros, the POS division of Oracle, revealed a malware attack that may have compromised 300,000 Micros payment terminals. Security analyst and investigative reporter Brian Krebs initially reported the incident, attributing the hack to a Russian group, alternatively known as the Carbanak Gang and Anunak. The criminals allegedly exploited a vulnerability in Oracle's customer support portal, where they stole customers' login credentials to gain entry to a large population of Micros POS terminals.
Cybercriminals armed with login credentials can exploit a range of banking, credit card and personal accounts. This approach has been successfully deployed against Micros and five other prominent POS brands. New revelations surfaced Aug. 11 that Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell have reportedly found anomalies in their internal systems and backend technology.
Too little, too late
"Oracle is no stranger to cybersecurity issues," said John Wethington, Vice President of America's at Ground Labs Pte. Ltd., an international security company with offices in Austin, Texas; Dublin; and Singapore. "[The Micros hack] blows the doors open to what we've said all along: It only takes one POS entry point for an entire system to be compromised."
Wethington noted that many malware tools, readily available on the Dark Web, are designed to scrape payment card data. "Cybercriminals establish a footprint within POS systems they've exploited; they can use the login credentials as a pivot point to attack customers internally, because they're on the other side of the firewall," he said. "Now they can leap off the POS platform to dig into untold terabytes of data."
Oracle advised all its customers to change their passwords, a move Wethington and others compare to closing the barn door after the cows get out. "Oracle took two days before acknowledging the hack," he said. "Originally, they thought it was just the support team that was compromised. But criminals used Oracle as a doorway into 300,000 businesses, putting millions of end points at risk."
Lessons learned, actions taken
In its statement to the press, Oracle confirmed that credit card data in its systems is encrypted during transmittal and at rest. While this was somewhat reassuring to potentially affected merchants, analysts are advising everyone to be especially vigilant in the coming months for spikes in credit card volumes and signs of fraudulent activity. Following are additional recommendations from security experts:
- Scan and audit: "Run a full security audit and make sure your environment is up to date and not storing sensitive data," Wethington said. "Use a data discovery tool to search through email, notes and attachments, because all systems are now put at risk. Even Oracle can't take responsibility for systems outside of their control."
- Think beyond passwords: "It's not enough to rely on password policies, which are of no use when the credentials are stolen," said Itsik Mantin, Director of Security Research at Imperva Inc. "Those in charge of web applications should be mindful to take specific detection measures to validate the authenticity of login to the system, treating with caution login from unexpected countries or anonymous networks, or logins from a web bot and rate limiting login attempts, in particular, those using credentials known to be stolen."
- Securely store encryption keys: "It's crucial to secure encryption keys and firewalls," Wethington said. "Failure to do so is equivalent to locking the house and leaving the keys in the front door."
Bracing for impact
Gartner Inc. analyst Avivah Litan speculated that the Micros data breach may be connected to recent cybersecurity attacks in retail and hospitality sectors. While no one has tied these hacks to any one service provider, Litan said, "There's a big chance that the hackers in this case found a way to get remote access," thereby initiating the recent string of high-profile data breaches.
Oracle emphasized that none of its corporate networks, cloud services or ancillary networks have been compromised. However, many of the details of the incident, including when the attack was initiated, have yet to be revealed. Much of the software used for breaking and entering also contains remote administrative access tool kits with "call home" features that link malware to remote command centers, subjecting it to further commands and downloads, Wethington noted.
View prior breaking news