Licensing, Not Security, Drives New Transit ‘Standard’

The vendor group planning to launch a contactless transit-ticketing offer to compete with world-dominating Mifare technology is selling its initiative as a much-needed move to open standards and one that also provides security transit operators can trust.

But make no mistake about it: This initiative is mainly about licensing–Mifare licensing.

Introduced in 1994, Mifare has been wildly successful for its owner, NXP Semiconductors, formerly known as Philips. The chip maker estimates that more than 1 billion Mifare chips have been shipped over the years and are used in cards in nearly 700 cities for transit fare collection. Mifare accounts for three-quarters of the yearly market for contactless transit cards–a market that will top 200 million cards in 2010, forecasts vendor trade group Eurosmart. All this makes Mifare the most used contactless-card technology of any kind.

And that has made a nice living for NXP, even after taking into account the millions of cloned Mifare cards produced every year in China.

While the well-publicized hacks of Mifare Classic cards in 2008 tarnished the brand, it’s still going strong. And the attacks created more demand for NXP’s more secure Mifare products: DESFire, which had been largely ignored by transit operators after NXP introduced it in 2002, and Classic replacement Mifare Plus. So, it’s perhaps not hard to see why NXP is guarding its Mifare franchise closely.

In 2008, NXP opened up its licensing of Mifare to other chip vendors for the first time in many years, granting a license for the “entire Mifare family” to Renesas Technology of Japan, then another last year to Switzerland-based STMicroelectronics. But these licenses only permit Renesas and ST to produce Mifare chips for SIM cards or other secure elements in NFC phones and for Mifare applications on dual-interface chips in banking cards.

These are promising markets for Mifare but account for very few shipments so far. What the chip makers cannot do with the licenses is produce chips for the voluminous market for standalone Mifare transit cards.

About the only chip maker besides NXP that can legally ship Mifare chips for transit cards is Infineon Technologies, which is anchoring the new vendor group challenging Mifare.

Infineon has done all right by Mifare, as well. When it was spun off by Germany-based Siemens group in 1999, Infineon took with it a grandfather arrangement from an old Mifare licensing deal between Siemens and Mifare creator, Mikron, which Philips acquired in 1998. The deal allows Infineon to produce low-end Mifare compatible chips royalty-free. Among its contracts, say sources, is supplying chips for the large, high-profile, Oyster fare scheme in London.

Unfortunately for Infineon, the owner of the scheme, Transport for London, was one of the transit agencies publicly shamed in 2008 by hackers demonstrating how easy it is to crack Classic’s aging Crypto1 encryption scheme.

TfL decided to upgrade to more expensive DESFire, NFC Times has learned. But Infineon doesn’t have a license to produce DESFire cards–or DESFire SIM chips, for that matter. The SIMs will come into play when TfL puts Oyster on NFC phones, as the transit authority has promised to do.

Infineon probably saw the handwriting on the wall for Mifare Classic more than two years ago, when it began developing the technology for its new transit chip. And it knew it would probably be blocked from supplying chips for higher-end Mifare cards.

Meanwhile, NXP’s archrival in the budding market for NFC chips, Inside Contactless, can’t get any Mifare license at all.

Inside said it was turned down for a license on “multiple occasions” between 2007 and 2009. NXP is locking Inside out of Mifare so that mobile operators will order NFC phones packing NXP chips, in anticipation of commercial Mifare m-ticketing projects, Inside believes.

Card vendors involved in the vendor group planning the Mifare alternative, Oberthur Technologies and Giesecke & Devrient, also have a problem. Rival Gemalto has a Mifare license, which would help it supply DESFire-based SIM cards or other secure elements for NFC phones. That would give Gemalto a leg up on Oberthur and G&D if transit operators start asking for higher-end Mifare applications on NFC phones.

All this sheds light on reasons the vendors want a Mifare alternative. But they would say that NXP's restrictive licensing policy and the Mifare "monopoly," as Inside Contactless put it, the policy has created, is the very reason the industry needs "open standards" and greater attention to security for transit cards and applications.

Still, while open standards for chips in transit cards and NFC phones might sound good on paper, observers doubt the vendors will be able to pull off even a simple open-standard scheme, let alone something similar to the EMV standard for bank cards, as some have suggested they try to do.

The vendors would either have to form their own standards body or enlist one already in operation; no mean trick on either score.

As for higher security the new transit offer would provide, NXP’s has offered the same level and type of encryption technology on DESFire cards since 2007, but few transit operators have bought it. Mifare Plus, launched in late 2009, also offers the AES 128-bit encryption scheme.

Many operators and their consultants seem content to go on ordering cheap and plentiful Mifare Classic cards, despite the low security. The operators can guard against widespread cloning on the backend of the fare-collection system, while accepting the risk of a few pilfered rides here and there by fraudsters.

Yet, besides their desire to get around restrictive Mifare licensing, perhaps the new vendor group sees an inviting target in NXP, which group members say was unprepared to respond forcefully to the inevitable Mifare hacks in 2008 and the bad publicity they caused.

Whether that is enough to crack NXP’s dominant share of the transit fare-collection market remains to be seen.

Dan Balaban is editor of NFC Times.


More Transit Authorities and Operators, Including Those in UK, to Support Google Pay

Nov 6 2019

NFC TIMES Exclusive – San Francisco Bay Area transit authority MTC has confirmed to NFC Times that it will support mobile payments with its closed-loop Clipper transit card, including with Google Pay, by the end of 2020.

NFC Wallets Make Up Growing Share of Contactless Payments on London Transit

NFC TIMES Exclusive – Use of NFC wallets continues to steadily increase as part of Transport for London’s landmark contactless payments service, with payments from NFC-enabled smartphones and smartwatches now accounting for 20% of all contactless payments, NFC Times has learned. 

Market Research Firm: Apple Pay Surpasses Starbucks App in Users in U.S.

NFC TIMES Exclusive Insight –Apple Pay, which launched its mobile payments service five years ago this week in the U.S., has so far failed to live up to expectations with the service, either in the U.S. or globally, in terms of users and transactions.

Cubic Strikes Deal with Google to Enable Closed-Loop Transit Payments in Google Pay

NFC TIMES Exclusive Insight – In a move that could enable more large transit agencies to offer NFC mobile payments with their closed-loop transit cards, U.S.-based Cubic Transportation Systems has signed an agreement with Google to integrate contactless transit cards with Google Pay. Among the agencies planning to support the service are those serving Google’s home base in Silicon Valley and the San Francisco Bay Area, as well as the Metropolitan Transportation Authority in New York. 

In-Depth: Persistent Consumer Security Fears about Mobile Payments Prove Difficult to Dislodge

NFC TIMES Exclusive Insight – Results of yet another survey has shown that a significant percentage of U.S. consumers continue to harbor security fears about using their smartphones for payments, a stubborn problem that has hindered growth of mobile payments from the beginning.

Mobile Suica Still Accounts for Disappointing Share of Suica Users and Transactions in Japan

NFC TIMES Exclusive – While Apple Pay next month will mark the 5th anniversary since its launch in the U.S., there is another contactless-mobile payments service that is three times as old as Apple Pay–Japan’s Osaifu-Keitai, or wallet phones, which this year turned 15. 

Rome Latest Transit System to Launch Open-Loop Fare Collection; also Enables Monthly Passes with EMV Cards

NFC TIMES Exclusive Insight – Rome has become the second major city in Italy–and one of a small but growing number of large cities globally–to enable riders to pay transit fares with EMV contactless credit, debit and prepaid cards and NFC devices.

Vivo Last of Major Chinese Smartphone Makers to Officially Launch NFC Pays Wallet

NFC TIMES Exclusive Insight – Vivo, China’s second largest smartphone maker, made it official this week, launching its NFC-enabled “vivo Pay” wallet, the last of the major Chinese phone OEMs to roll out NFC payments–though their use has been disappointing, at least for payments in stores.

In-Depth: Fit Pay’s Troubles Indicate Difficult Business Case for Provisioning to Wearables

Sep 19 2019

NFC TIMES Exclusive Insight –  Given the poor financial results of U.S.-based Fit Pay, it’s becoming clear that the business case for provisioning of payment cards to wearable devices remains difficult.

Analysis: Chase Pay Latest Bank Wallet to Shut Down; Why Did They Fail?

NFC TIMES Exclusive Insight – Plans disclosed this week by JPMorgan Chase to shut down its Chase Pay app for in-store purchases is yet another nail in the coffin–perhaps the final one–for bank wallets in the U.S. And the situation does not look much brighter for bank-issued wallets abroad.

Miami Latest U.S. City to Introduce Open-Loop Transit Payments

NFC TIMES Exclusive Insight Transit officials in Miami-Dade County, Fla. are the latest in the U.S. to introduce open-loop payments of fares with contactless credit and debit cards and bank card credentials on NFC wallets, launching the service yesterday on the city's relatively small metro network, with plans to expand to buses later.

UK Tram Riders Take to Tapping with NFC phones to Pay for Fares, According to Early Results

NFC TIMES Exclusive – Transport for Greater Manchester, which last month launched open-loop payments on its large Metrolink tram network, said Thursday that contactless credit and debit cards and NFC wallets accounted for a combined 170,000 rides during the first four weeks of the service.