back to article Android Pay may, er, pay... providing it gets over security hurdle

Android Pay's UK launch is promising but could be held back by malware concerns, security and payment experts warn. The Google-backed technology launched in the UK on Wednesday, adding to the options smartphone users can employ when paying for goods and services using their mobile rather than a card. Smartphone payment systems …

  1. Anonymous Coward
    Anonymous Coward

    eliminating the need for consumers to carry a wallet

    until the battery dies ....

    1. Mookster
      Boffin

      Re: eliminating the need for consumers to carry a wallet

      If it were SIM-based it would work even without power..

    2. hellwig

      Re: eliminating the need for consumers to carry a wallet

      That's why I also have PayPal Pay setup. That just takes a phone number and PIN. Seems extremely insecure, but I don't need a phone OR wallet to shop at Home Depot or Office Max/Depot.

  2. Harry the Bastard

    ok, i'm a stick the mud

    but the idea of sticking all my cards/id/tickets on a phone, of whatever brand, seems pointless

    cards weigh c. 12g, fault tolerant, unaffected by impact/environmental conditions that'd damage/destroy most phones, don't need charging; lose one/all and you use your phone to report it, oh. and don't need a wallet, they work fine carried naked

    phones weigh a lot more, need charging, easier to damage, clumsier to handle, tend to need protection against impact/extreme environment; forget to charge it, break it, or lose it and with no cards or you it's much more likely that you're screwed

    1. Anonymous Coward
      Anonymous Coward

      Re: ok, i'm a stick the mud

      It isn't an either/or situation. If you generally use a card but happen to forget you wallet then you could use your phone.

      If you on your phone buying something then you don't have to hunt down your wallet to get your card details.

      As someone who once left their wallet at work and then found myself almost out of fuel and having to hunt for coins around the car to pay for just enough to get home, having a card on my phone would have been really useful (as long as it was secure!)

      1. VinceH

        Re: ok, i'm a stick the mud

        "As someone who once left their wallet at work and then found myself almost out of fuel and having to hunt for coins around the car to pay for just enough to get home, having a card on my phone would have been really useful (as long as it was secure!)"

        I've never done that - but if I did leave my wallet at the office it wouldn't be a major inconvenience; I always keep a small amount of cash in my pocket in case I did just that. I also don't keep all of my cards in my wallet - some are kept locked away at home, in case I was to ever leave my wallet at the office at the start of a weekend.

        The moral of this story: Don't keep all your eggs cash/cards in one basket your wallet.

    2. Steve Davies 3 Silver badge

      Re: ok, i'm a stick the mud

      Well, If you have NFC Capable cards in your wallet then their details can be slurped by someone just standing next to you in a queue/train/on the street.

      You could get rid of all the NFC versions of your cards and put them on your phone which can't be snooped like the raw cards. You still have them available for chip/pin use.

      However, I really doubt the intrinsic security of Android in this area when compared to Apple devices. Their secure vault was designed from the ground up for this sort of thing. Unless there is an equivalent in ALL android devices then won't some be more secure than others?

      With all the malware doing the rounds on Android, do you really want to risk using this?

      Only time will tell.

      Does not matter to me as my own phone is an old Nokia 6310 which is working fine thank you very much.

      1. Dave Bell

        Re: ok, i'm a stick the mud

        It's been my experience that cards in the same wallet interfere with each other, so I reckon the fears of sneak thieves scanning cards are exaggerated. Anyway, you can get a screened wallet if you're that worried. Though if somebody can scan a card and re-use the data they get to make a false payment, there must be a rather gaping flaw in the security of the system.

      2. R 11

        Re: ok, i'm a stick the mud

        Android uses the cloud to generate payment tokens. The phone stores a small number so that these can be used in a network black-spot.

        Given that, for the likes of iTunes or Google Play, either operator is likely to already be storing a copy of your credit card details, I'm not sure this is a big concern. If you don't but anything online, you're unlikely to be opting in to either service.

      3. ad47uk

        Re: ok, i'm a stick the mud

        A mate of mine and myself did some tests with data slurping, you need to be pretty close to the person and you need something that puts out a fair bit of power to get anything from cards unless they have them in their back pocket with no wallet., Most wallets are pretty thick and the power of a normal mobile that could be used to slurp the data would not really do it. unless you are really unlucky.

        We tried and most times it failed, and only worked when the phone is right up against the pocket of the victim and they only have to move a bit and it fails.

        We did modernise a phone which put out more power on the NFC chip, that worked, but the battery died pretty quickly.

        If you are really worried then get a wallet with is lined. the data slurping is not my problem with contactless, my problem is if I lose it,l anyone can pick it up and use it for a certain amount of time.

        As for using a Android device as contacless, nope, security is not good enough.

    3. Thomas Wolf

      Re: ok, i'm a stick the mud

      ApplePay is a lot more secure than physical credit cards as no credit card information is kept on the phone or transmitted during a transaction (for Android Pay I'm not sure ifGoogle maintains user credit card numbers anywhere on their servers now - that used to be the case with Google Wallet; I'm pretty sure Samsung's Payment system, because it needs to emulate a traditional magnetic credit card, keeps CC info somewhere - and is, thus, an invitation for hacking).

    4. ad47uk

      Re: ok, i'm a stick the mud

      i would still have to carry my wallet anyway, i have a coffee loyalty card that is a card and they put a stamp on it. There are other things I carry in my wallet that will never be put onto a phone, so no point for me. anyway I do not like contactless, it think they are a risk

      1. Anonymous Coward
        Anonymous Coward

        Re: ok, i'm a stick the mud...i would still have to carry my wallet anyway

        I carry a wallet, but it no longer contains my actual credit and debit cards, only a limited value charge card and some cash on top of the loyalty cards etc. If I make a trip specifically to buy something or get cash out of the ATM just down the road, I need to remember to bring a card, but that's it.

        The advantage I find with Android Pay (applies equally to Apple Pay) after just three days is that I no longer have to dig out my wallet and extract something from it, so the risk of something falling out is greatly reduced. I can also keep it in a less accessible pocket.

        AP is obviously getting used, on Wednesday afternoon the checkout guy in Lidl was totally unsurprised when I paid by phone.

  3. Anonymous Coward
    Anonymous Coward

    I don't see anything in any of the quotes about "The Android malware problem"...

    Could this just be some FUD piled on? An attempt at headline grabbing?

    1. Palpy

      RE: "don't see anything in the quotes " --

      -- about Android malware.

      Well, the topic is mentioned in paragraphs 4 and 5, I think. But see articles like this one.

      IMHO, credit-card-via-Android sounds like a very bad idea right now. Until there is an industry-wide security update mechanism in place -- and all manufacturers provide security updates -- and until the Unwalled Garden of Android is reasonably free of venomous snakes, I'm not letting a phone talk to my virtual wallet. Nope.

    2. Anonymous Coward
      Anonymous Coward

      Of course. The irony is, the same media outlets (ir) responsible for scaremongering are the same one reporting this.

      Back in the real world, my phone android phone has signed system image, locked and signed bootloader and the moment anything breaks that chain of trust and modifies the phone, android pay knows. You cant even run android pay on rooted phones.

      You also never actually use your actual card details, each transaction uses an unique virtual one time use card number.

      So yes, this whole article is pretty much fail

      1. Palpy
        Pint

        RE: "scaremongering"

        I stand corrected, sir.

        After a bit of Goggling upon the Online, it appears that remotely identifiable malware infections on Android are somewhere between 1.4 and 0.4 percent of devices. Very low, really.

        And as you and another noble commentard have written, the Google pay app is not unsophisticated. It apparently makes it quite hard for an attacker to leverage the transaction into data usable for fraud even if he has compromised your device and is able to log your activity.

        I salute the cooler heads. Have a beer.

  4. choleric

    Is the Apple store among the millions of stores that support it?

    1. Tessier-Ashpool

      Yes. In the same way that it will be accepted anywhere you see the contactless payment symbol.

  5. Anonymous Coward
    Anonymous Coward

    Early adopter

    I admit - I installed it and it worked fine in Tesco this morning. BUT

    I am extremely careful what I install - and look at - on my phone. I have one phone as a communicator and another for unserious stuff, and there is no way I would put Android Pay on the not-tightly-curated one. Other than the Google standard install and those of the manufacturer that I haven't disabled, I have almost no apps running.

    The important thing for me about Android Pay is that, like Apple Pay, it neither stores card details in the device nor exchanges them with the terminal. I have an NFC charge card for small transactions so I don't need to carry my high value cards except when I have to, and this just adds a level of redundancy (against the charge card being declined for instance.)

    The risks don't really seem greater than those of carrying an actual debit card linked to my account.

    1. inmypjs Silver badge

      Re: Early adopter

      "I would put Android Pay on the not-tightly-curated one."

      You mean the one that you somehow know can't be silently owned by a single MMS unlike most of the android phones in the world?

      Regardless of not trusting android why the fuck do you want to tell google every detail about every item you purchase with credit cards?

      Personally I would never give google a credit card number which would provide a definite link between my true identity and the vast amount of personal information they collect and collate.

      1. Lee D

        Re: Early adopter

        Differs from Apple Pay how?

        Your iPad, your iPhone your browser (Safari - even Chrome on iPad/iPhone is actually an Apple WKWebView control as alternate rendering engines aren't allowed), iTunes, etc.

        At least, when I was required to obtain one, Google et al will give you an EU Data Protection Guarantee that your data won't leave the EU. Apple / iCloud never did.

        1. inmypjs Silver badge

          Re: Early adopter

          "Differs from Apple Pay how?"

          By design apple do not get any information about your purchase and by design Google get everything.

          Apply pay is a service apple provide to their customers while android pay is a (personal information supply) service users provide to Google.

          Google intend to entice the stupid with sweeties like loyalty bonuses and discounts. You will probably be able to automatically tweet/G+ to the figments of you imagination you think give a shit what flavour latte you just android paid for at twatbucks etc etc.

      2. Anonymous Coward
        Anonymous Coward

        Re: Early adopter

        "You mean the one that you somehow know can't be silently owned by a single MMS"

        Nice to know you think I'm stupid. I have been following the Stagefright story since it broke in 2015. I replaced my wife's phone because it didn't get updated. Both our phones are identified by the various Stagefright checkers as being "not vulnerable". My SIM-equipped tablet is also classifed as being not vulnerable.

        I also direct all messages to the standard messaging app and disable download of MMS.

        Google know my true identity. Whoop de do. As more than one of my contacts is a Google contractor, there really is little point in worrying about it. I'm far more worried about the people who may have put my picture on Facebook and tagged it, thus meaning Facebook knows a lot about me without my having any control whatsoever.

  6. Horridbloke

    Excellent news

    Do we really want to reach the point where paying for things with anonymous cash ceases to be an option? I'm a nice honest law-abiding guy and I have something to hide - what I spend my money on.

    1. Phil Kingston

      Re: Excellent news

      Yep. If it makes the coffee queue in front of me move quicker, I'm all for it.

      Initial purchase of a prepaid card can be done anonymously for those who fancy it.

    2. Anonymous Coward
      Anonymous Coward

      BitCoins...

      Lets move to bitcoin wallets for the privacy aspect...

      Now all we need is a big company/payment provider to get behind it...

    3. Lee D

      Re: Excellent news

      I can't say I'd miss cash.

      Bear in mind that I rebutted the National ID card because of the database-joining worries (no problem with carrying ID, do have a problem if some random government official has access to that database for no good reason). And that I put my credit cards in RFID-blocking wallets, etc. And that I put off getting a biometric passport for as long as technically possible.

      But cash is outdated. Cash allows all sorts of things that you paying for a coffee anonymously doesn't really cover. When you can't hide transactions, stuff like the Panama Papers becomes much more difficult to hide. How many deals are done in cash purely because they are dodgy (I've had everything from windows cleaners and builders to coffee shops and consultants want to deal in cash to "not tell the tax man, eh? <wink, wink, nudge, nudge>")? And how many need to remain anonymous? Your coffee purchase isn't important, in the grand scheme of things. However, the stuff where you have no choice but to use a card or bank payment already is really the only stuff that someone might be interested in.

      Cash's big problem is that it isn't digital. We've proved you can be digital and anonymous, but nobody cares about that. Anonymity is not sacrificed by moving to digital, therefore, and criminals will use digital anonymous services too. But cash is inherently inconvenient - expensive to mint, expensive to handle, slow to use, bulky to carry, easy to steal, liable to loss or degradation, etc.

      I haven't used cash in - years. About the only place is bootsales and antique markets (and the latter now mostly take things like iZettle and Paypal themselves! Even the oldies are catching up!). You can easily live your entire life today and never touch a single coin or note. And that's an indicator of what your children are going to be doing in the future for themselves.

      Literally, I have no cash in my wallet. I have none in my car. I don't use ATM's (last time was literally years ago). I keep a fake-pound-coin-keyring to use trolleys in supermarkets (why they aren't electronic yet, I haven't worked out). In the office at work we have a "change pot" where we offload spare change. I rarely contribute but instead I PayPal my tech a tenner every time he goes McDonald's, then he pays by cash (no idea why), then the change goes into the pot as a biscuit / tea fund. But then I often order all our vital supplies on Amazon, via a card anyway. Pretty much the pot has ended up as a McDonald's / emergency petrol money fund.

      I have installed the Android Pay app already but I have NFC turned off. But you never know if you might lose your card and need a backup, and a phone is a good backup. If I have to remember to turn NFC on to actually use it, that's a bonus in my eyes, it prevents accidental confusion with Oyster or other RFID cards.

      But cash is really going to die, Your kids will think it quaint. Their kids won't know what it was.

      1. Lamont Cranston

        Re: Excellent news

        I use cash as little as possible (car parks seem to be a perennial problem), so I've upvoted, as I would like to see cash die out. I do have to wonder, though: what will the toothfairy leave under the pillow when cash is dead?

        1. Lee D

          Re: Excellent news

          An Amazon voucher.

          The Tooth Fairy got online years ago.

          Santa's been on there for many years (NORAD tracker, video messages from Santa, pay-Santa-to-answer-your-child's-letter website, online Santa wishlists, etc.). He was one of the early silver-surfers. Hell, Santa brings all my presents from Amazon nowadays (literally, 100% Amazon or online shopping for the last... ten years?).

          The Tooth Fairy is online, the Boogieman are already cybered up, it's just the Sandman that we're waiting for because the damn kids won't go asleep as they're playing Minecraft under the bed-covers (I have to say, the analog to me reading by torchlight under the bed covers is hardly different, if you think about it).

  7. DerekCurrie
    Meh

    Oh big surprise Google software is insecure -zzz

    If only Google paid as much attention to their own software security problems as they do to other's.

    Project Zero: A PR ploy?

  8. jb99

    Seemed to work

    I tried it. It seemed to work at marks and spencers.

    I probably won't use it again unless I forget my wallet as the card was slightly quicker and easier

  9. Ol'Peculier

    Installed and used it on Wednesday at Aldi, no problems. Doubt I'll use it frequently, but it's a good backup if I forget my wallet, although there is a part of my that is thinking about asking the bank for a new non-contactless card as, AFAIK, the phone won't process unless it's been unlocked?

  10. tiggity Silver badge

    Cash

    Works for me on small purchases - i.e.. general food shopping not "big ticket" items.

    Notes / coins depending on size of bill, quick and easy (and anonymous / untracked.in shops without CCTV)

  11. David Roberts

    Loyalty cards?

    Yes, I know they help spy on you but I do get the occasional "freebie".

    However I have so many (Waitrose, Tesco, Coop, Shell, Texaco, Nectar, Morrison.......) I have ended up with them in a separate wallet for ease of access.

    An electronic wallet to hold them all (including the ones I use once a month or less) would be a good thing.

    Extend it to library cards and the like - even better.

    1. Phil Kingston

      Re: Loyalty cards?

      If they're just barcode ones, there's plenty of apps to help you store them all on your phone.

      Dependent on your screen and the scanner type, they don't always scan, but the assistant can just type the number in for you and you still get your points. Without a separate wallet to remember on shopping trips.

      Personally, I use one called mobile-pocket as it seemed to be the only one that worked reliably and had an easy backup/restore to survive ROM/device changes without having to scan all the cards in again.

  12. Tree
    Unhappy

    Do you trust them?

    I do not trust these payment schemes. I am afraid that Microsoft, Google, Apple, etc. will want my wallet in their pockets. Possession being 99% of the law, what if the Bangladesh government domain stealers get into their servers? If they can steal $31 million from the Federal Reserve Bank of New York, who stands between them and Samsung Pay, anyway?

  13. mattkillen

    Samsung Pay

    Samsung Pay uses a substitute PAN, not the real card number, for both MST and NFC.

  14. Anonymous Coward
    Anonymous Coward

    "A third of Brits think that in just five years’ time they will no longer need cash"

    A couple of points:

    1. Most mobile devices are still very vulnerable if you get caught out in the rain without an umbrella.

    2. You gotta keep a mobile device charged at all times if you are goign to rely on it for day to day commerce.

    3. Cards such as Oyster are still not allowed into apps - the vendor won't let them have access to the card encrypted key.

    4. If you prefer to pay by contactless and/or mobile device, prepare to start paying extra fees on top of your purchases. Any shop that banks with Barclays always seems to add an extra 50p or so if you pay by card.

    5. Even with fairly widespread adoption of electronic payment methods in shops, it is still far from ubiquitous

    6. Small businesses such as market stalls are unlikely to be keen on switching to electronic payments, as this means they are forced to declare all income - where as with cash they can afford to give the customer the good old %20 discount (lose the VAT) in return for not incurring bank transaction charges

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022