In a previous blog post I urged you to adopt a digital wallet. Players in the digital wallet arena are falling by the wayside, but this leave unchanged the important reason why you should adopt a digital wallet, namely that bad guys won’t be able to skim your credit card number as they would with your use of a swiped mag-stripe card. Most strikingly the digital wallet that I adopted, Softcard, has bitten the dust. Appropriately for this blog, nobody actually purchased the ill-fated Softcard. Instead someone merely purchased its intellectual property.
A mere week after I blogged my recommendation that you adopt Softcard, the news stories began to circulate that Softcard was on the ropes. Depending on the news story that you might read, it was laying off 15% or 30% of its employees. Scuttlebutt web sites quoted disenchanted employees describing a workplace where bosses told underlings they would not need to come to work (but would still draw paychecks) because no one would notice their absence. Many a news story gleefully recounted that the company had originally been named “Isis” and had felt the need to rename itself for obvious reasons. It was finally understood that the owners of Softcard (Verizon, AT&T, and T-Mobile) had formally put Softcard “in play”. Rumors circulated for weeks that Google (or Paypal) might buy Softcard and fold it into Google’s own “Google Wallet” tap-to-pay system.
Things finally reached closure. Softcard and Google jointly announced that Google was purchasing the intellectual property of Softcard (the core of which is about 100 pending patent applications) and that Softcard would close its doors. As part of this deal, the three mobile players (Verizon, AT&T, and T-Mobile) which had a year earlier blocked Google Wallet from their phones in favor of their own Isis/Softcard would now not only welcome Google Wallet on their phones but would promise to preload it on all their Android phones going forward.
What’s going on of course is that Apple’s digital wallet, called Apple Pay, has been wildly popular and the other digital wallet players are scrambling to regroup in an effort to keep up with Apple Pay’s market penetration. At about the time that Google snapped up the valuable bits of Softcard, phone maker Samsung purchased Loop Pay. And now Paypal, not wanting to get left behind, has snapped up Paydiant which is the backbone provider for a system called CurrentC which is a payment tool being developed by Walmart and Target.
Loop Pay is a fascinating technical hack. The idea of Loop Pay is to sidestep the problem that most of the contactless payment systems, including Apple Pay, Softcard, and Google Wallet, work only on NFC-equipped credit card terminals. Loop Pay, on the other hand, works on nearly all “swipe” terminals. If you are a Loop Pay user, instead of swiping your mag-stripe credit card through a slot with a magnetic read head inside, you peek inside the slot and see where exactly the magnetic read head is located and you hold a magnetic loop close to the read head. The loop then emits a coded magnetic signal that fakes the read head into thinking that a mag-stripe card has passed nearby.
The alert reader will realize that Loop Pay has a couple of big drawbacks. First is that if your motivation for using a contactless payment system is to avoid exposing your credit card number to bad people who might have penetrated some retailer’s network, Loop Pay is no good. It simply feeds your credit card number in an unencrypted way to the magnetic read head the same way that the mag stripe would have done. A second thing to think about is that some mag-stripe readers (for example those in gas station pumps) swallow the card completely and before reading the stripe. Such readers have a read head that is located deep inside the housing, so deep that the Loop Pay magnetic loop cannot get physically close enough to the read head to trick it into thinking that a mag-stripe card has passed nearby.
So what’s the bottom line? Should you still even now adopt a digital wallet for contactless payments? The answer is still “yes”, at least if you use an NFC (near-field communications) system such as Google Wallet and Apple Pay. Such a system, as I explained in my earlier posting, never communicates your card number in the clear, but instead only communicates a one-time-use digital token, a token that is of no help to a skimmer because it cannot be used a second time.
If you use an Android phone, then Google Wallet is the way to go. Those who own the most recent models of iPhone will, on the other hand, find it most convenient to use Apple Pay.