That sounds like a very big mistake to me. And a missed opportunity: in some countries, banked work together to develop their own systems. People can send money to each other and pay everywhere with a small app that is not BigTech from the US.
I think there should be such an app in every country; you don't want your payment system to fully depend on US companies.
iDeal is ubiquitous in The Netherlands for individuals sending money to each other, and for online payments. However it does not support NFC payments in physical stores. Dutch banks decided to go with Google/Apple wallet for this. I believe in the longer term Wero https://wero-wallet.eu/ (and potentially the digital euro https://www.ecb.europa.eu/euro/digital_euro/html/index.en.ht...) is supposed to take over this usecase in the EU.
There's no contact info in your profile so I couldn't reach you. If you don't want to share it here, you could use the email address in my profile
For physical transactions there's barrier of hardware and network effect - everybody has card terminal. Users expect near 100% acceptance for them to use payment method daily.
If you consider creating own NFC payment app instead of Google/Apple Pay - that's actually possible, but more expensive and often disliked by the users due to inability to easily switch between cards issued by different apps.
Is it? Last time I checked, Apple & Google were also interfacing with banks on the server side, i.e. banks had to integrate with Apple/Google specifically. I'd love to be wrong, though.
But yes, as said I'd not use the same wording because it shouldn't just be a copy-paste, that's also wasting their time. I could refer to what was already submitted so they can more easily bundle them, but I understand you don't have it anymore so np. Thanks for mentioning you've submitted this in the first place and the additional info, that does motivate me to continue also submitting things and to know better what makes sense to submit :)
Twint does that. They started trying to make it "seamless" with NFC, but couldn't do it because of Apple (maybe now with the DMA it may change) and went for some kind of weird bluetooth stuff. Nobody used it. Then they moved to QR codes, and it quickly got very popular.
Everybody understands QR codes. No need to know whether your phone supports NFC or not, no need to go check if NFC is enabled in the settings, nothing. Everybody understands that they need to scan the QR code with their camera, period. Seems perfect to me.
It's even better than NFC because a small store can print their QR code on a piece of paper and not need to buy a terminal. Most stores just have the normal card terminal print the QR code and people scan it.
I don't know anyone in Switzerland using Apple/Google Pay, which IMO is a national success.
The bigger problem came from apps that threw null point exceptions on startup when probing for google play crap.
The following failed for at least one week over a two month period: parkmobile, multiple ev charging networks, uber, lyft, yelp.
Is this still an issue, or are things more reliable these days? (Ignoring the Google integrity stuff.)
I noticed that GrapheneOS got more than 2x Google’s advertised battery life until I installed Google Play Services in a sandbox. Then it dropped to advertised. You might want to add that to your complaint. Halving everyone’s battery life is easily quantified economic damage. (Privacy is more important than bundling $50 of battery, then wasting it, but easier for Google to wave away with big words and doublespeak.)
Some of those banks may also still support using their own tap-to-pay. Europe has a standardized system for it and many banks support it. Check https://privsec.dev/posts/android/banking-applications-compa... for those banks. There was a major shift to using Google Pay to reduce their development costs but there may be a major shift away from it now.
https://grapheneos.org/articles/attestation-compatibility-gu... should be sent to companies banning using GrapheneOS via the Play Integrity API. They can keep doing that while permitting GrapheneOS in a more secure way. Our users recently convinced several banks to implement it. Swissquote implemented it for their Yuh app and will hopefully do it for their main Swissquote app soon. It would be nicer if they didn't add Play Integrity API in the first place but progress can be made if users leave lots of reviews, support requests, etc. until they realize it's a big issue and either remove it or implement this as a replacement.
Phone nfc payments do not.
So yes, it's handy. Jot handy enough to use gpay for it, of course, but handy nonetheless.
It already does for web purchases, so there is no reason it could not. Not sure why this is not more commonplace.
The last time I looked at it, it was not possible because Android doesn't let apps control the uid that gets used for NFC.
Either way, even if apps had full control over the chip, my understanding is that building a wallet app would still amount to much more than just interfacing with the NFC chip.
The TWINT app says -- if their promo videos are to be trusted -- "Scan only QR codes from trusted sources and check the receiver of the payment in the next step". That doesn't fill me with confidence :(.
A dynamic QR code could be fine -- they have their app, you're able to bootstrap what is effectively a secure channel between the PoS machine and the app to give the vendor confidence their device has received payment and the consumer confidence that they're paying the right vendor. A static QR code is more challenging, and it sounds like they're putting more weight into social protections than I'm comfortable with -- especially considering a technical solution is possible and exists.
I'm especially wary of the warning that individuals can't have QR codes. Why not? Unless it's part of the social protection. But I can personally accept NFC contactless payments (having opened an account with a suitable provider), and indeed I bought a device which means I can accept chip and PIN payments too.
That's not related to ability to create own app - on both ios and Android you can access NFC hardware directly (on iOS it's limited geographically), and send card data as you see fit - Google & Apple do nothing in such case.
* The vast majority of the payments (almost all of them) are done with dynamic QR codes.
* The static QR code is mostly used by very, very small entities. Like the person asks you to scan their code, enter the amount and show them the confirmation. It is in their interest to show the right QR code.
* Sending money to a friend is done with the phone number as an id. It works, but you need to enter the mobile phone number of the receiver.
* There is one situation where static codes are printed and where phishing has been reported (it's not MITM, it's really just a QR code that sends you to a bad website): when paying for parking. You don't have to use it if you don't feel comfortable, and it is possible to feel comfortable because it actually just opens a website (so if you use it regularly you can learn to check that you are on the legit website before you make the payment).
Overall, it is super popular and it works really well. No need for NFC, and no need to install the Google Play Services \o/.
For technical side - there are companies selling complete SDKs.
These apps have worked reliability since our sandboxed Google Play compatibility layer added support for them in 2021. There wasn't a time period where these apps weren't compatible with GrapheneOS after they initially became supported. That was a problem with your setup, but there's no way to figure out what was wrong at this point. Updating sandboxed Google Play without keeping the OS updated is not supported. If you fell significantly behind on updates but were still getting sandboxed Google Play updates, that would explain why things broke. We sometimes gate those updates. We do keep things working for legacy extended support devices, but whether people are on a fully supported device or a legacy one they're expected to keep the OS updated. We don't keep compatibility with old OS versions indefinitely. Disabling the Network permission for sandboxed Google Play services or sandboxed Google Play Store is another possible cause. Regardless of the cause, that's not at all normal and doesn't reflect a typical experience.
> I noticed that GrapheneOS got more than 2x Google’s advertised battery life until I installed Google Play Services in a sandbox.
GrapheneOS will still tend to get better battery life with the same apps installed by the user unless you install a bunch of other Google apps to match the stock Pixel OS out-of-the-box experience. It's easy to make battery life worse by having multiple push messaging systems running at the same time though. Installing sandboxed Google Play in 2 separate profiles you always keep active could easily have worse battery life than the stock Pixel OS since it's 2 whole separate isolated instances of it vs. the stock Pixel OS having them built into the OS as highly privileged cross-profile system services.
While I've known that building a wallet is not as simple as configuring the NFC chip and one would have to interface with banks on the backend etc., I've failed to understand exactly why. What prevents a phone from emulating a regular physical credit card?
What it means - you cannot obtain working card profile if bank doesn't issue it to you. Therefore you need blessing from bank & card scheme to be connected to this ecosystem.
If you want to go deeper into this rabbit hole I can recommend two sources:
* https://developer.mastercard.com/product/mdes - Mastercards framework for tokenization
* https://developer.verestro.com/books/token-requestor - actual solution. It focuses on offering for single issuer, because market for Google Pay competition is pretty narrow, but technically it's mostly the same + way more red tape.
If you ever decide to try - ping me, I happen to know a few guys there :-)
If this were possible fraudsters would be easily be able to clone people's cards by getting close to them. The protocol was explicitly designed for this to not be possible. There are secrets that live on the card itself and are not exposed
A counter-point might be that my credit card doesn't require Google Play Services either. And won't run out of battery. And works with all the local businesses, including the smallest -- while there are some people (mostly outside cities) who still only take cash, I can't imagine them signing up for TWINT either.
There are several providers of services allowing individuals and small traders to accept credit and debit cards, and I've happily accepted cards from foreign banks too.
I'd be sceptical of anything like TWINT catching on in the UK, because NFC payments are already ubiquitous and also really easy to use.
I didn't say you have to like them. But if you claim they are insecure, I feel like it's my right to note that you may be wrong.
> A counter-point might be that my credit card doesn't require Google Play Services either.
That is not exactly a counter-point in a discussion between a mobile app doing NFC and a mobile app using QR codes, is it?
> I'd be sceptical of anything like TWINT catching on in the UK, because NFC payments are already ubiquitous and also really easy to use.
That's another question. My original point was that non-US banks should not depend on Google Play Services or Apple Pay (which at least until very recently was the only way to pay with NFC on iPhones, wasn't it?).
Behaving like a credit card does not mean that the credit card is clonable.
With some luck it will be even routed to your bank. Then it will fail due to invalid authentication. I think there's a defcon talk on YouTube that details the exchange.
> If you ever decide to try - ping me, I happen to know a few guys there :-)
Ha, I have actually been entertaining that idea for quite some time, but it seems rather difficult to penetrate that domain as an outsider. The links you shared only seem to confirm that. :-\ I'm not sure I would even want to compete with the Google/Apple Pay duopoly, for now I'd mostly just be interested in an open-source, privacy-preserving solution for contactless payments.
Anyway, you might want to add your contact info to your HN profile – just in case. ;-)