Hey Habr.
Recently, I quite often encounter a misunderstanding of Russian users regarding contactless payments in cheap wearable electronics and the role of the NFC chip in this functionality.
All sorts of news resources play a big role in this, the authors of which mindlessly (or on purpose, as a victim of clickbait) copy-paste each other, thinking out interesting tricks. The situation is aggravated with the announcements of new devices, such as Xiaomi Mi Band 4, and news about the imminent arrival of the Xiaomi Mi Pay payment system in Russia, in cooperation with MasterCard.
With this post I would like to dispel the misunderstanding that has developed in Runet on this topic.
At the moment, only a few types of devices are able to contactless payment at the checkout using NFC:
- Apple Watch with Apple Pay;
- Smart watch based on the operating system from Google (Android Wear, Wear OS) with support for Google Pay;
- Smart watch from Samsung on Tizen OS with Samsung Pay;
- Fitbit Pay (not working in Russia) and perhaps a few more unpopular options.
In general, there are not so many such devices on the market, and, most importantly, the price for them will be a disadvantage for many when choosing, along with low autonomy.
A couple of years ago, models with an NFC chip began to appear on the market for all kinds of fitness bracelets and semi-smart watches. This is where it started⦠Journalists confuse people with the possibility of contactless payment using Alipay, not understanding how it works, they promise the imminent arrival of mobile payments on every wrist. But there is still no arrival. Users want to believe that just about, and very soon, their cheap Mi Band 3, prudently bought in the version with NFC, will replace their wallet. But, alas.
The vast majority of these gadgets are made in China for the domestic market. Many with subsequent entry into the global market. How are things going with contactless payment in the Chinese domestic market? There are two technologies to highlight here:
1. Payment via QR or barcode. The Chinese use this implementation everywhere. The point is the following. Almost every user has a smartphone with them. In a smartphone, with a 99,9% probability, βmore than just a messengerβ WeChat is installed, with its electronic wallet, or the Alipay application is practically an electronic bank from the Alibaba group. There are two ways to pay at the checkout using these applications on your smartphone. Let's consider them.
1.1 The user scans the merchant's QR code using the smartphone's camera. Enters the required amount, or it is already encrypted in the seller's QR code. Further confirms the transaction (password or biometrics). Money is instantly deducted from the buyer's wallet in favor of the seller. This method cannot be used on a bracelet due to the lack of a camera.
1.2 The user shows the merchant their QR/barcode generated by the wallet app. The sales clerk beeps him with his hand-held cash register scanner. The amount is also instantly debited in favor of the seller. What does the paying gadget need for this? What he has is a display and some brains. Therefore, this payment method was implemented by Alipay. A supported wearable device is linked to the Alipay app. A separate secure account is created for him in the wallet (with a payment limit). The gadget is assigned and put into it a static pair of codes (QR and bar). Further, the payment takes place offline, without the participation of a smartphone. Transactions are transmitted to the Alipay servers from the store's checkout. Actually, this is the only method of paying for purchases in a store in China through such devices.
2. The great and mighty NFC. Here we will talk not only about payment, but also about other possibilities of bracelets with an NFC chip. Let's start, of course, with payments. What comes first here? That's right, Security. The same mibands, with their frail controllers and cheap NFC chips, cannot provide a sane level of security so that the manufacturer entrusts them with the emulation of their users' bank cards. But, here's a transport card - that's another matter. Kilobaks usually do not roll on them. Actually, this is one of the main goals of the NFC chip in miband-like trackers. The point is the following. The manufacturer cooperates with public carriers (metro, city buses). In a branded application, in the NFC function section, the user buys a transport card for his bracelet. Virtual, of course, but for a real cost - about 20 yuan (~ 200r) a non-refundable deposit and the rest to the balance (here the amount is at your discretion). The card is recorded in the bracelet and then completely autonomously used to pay for the fare. It is very convenient, since no extra gestures are needed to trigger it, just put your hand to the reader and the payment is made. The card is replenished, just as conveniently, in the bracelet application, using the same WeChat or Alipay.
Another feature that accompanies bracelets with an NFC chip is access card emulation. The function is useful and convenient, but, in the same China, in modern realities, it is rather late. I'll explain why. First, NFC operates at a frequency of 13,56 MHz. Accordingly, only cards with this frequency are supported. Second, it's safe again. The bracelet can read and correctly emulate only cards without encryption, and as it turned out (thanks to the w4bsit4-dns.com forum), the UID length should be XNUMX bytes. Otherwise, even if you copy the card, the reader at the checkpoint will not open the door for you. Here manufacturers act differently. For example, the MiFit app will simply prevent you from copying an unsupported card. But the native application of the Hey + bracelet without a twinge of conscience copies everything it can, but does not guarantee correct operation. As practice has shown, such an unsafe intercom or checkpoint in China still needs to be looked for. I did not find.
In Russia, things are better, in terms of usability. For example, users of the same forum confirm normal operation with the Moskvenok pass card and with some intercoms.
There is also another interesting possibility - to create a "clean" card, go to the management company and register it in their system. Unfortunately, I was unable to test for a number of reasons. One of them did not leave me a single chance - the same notorious MiFit from Xiaomi asks to confirm my identity using a Chinese ID, which I cannot have, to create such a card. And in general, Chinese security is not dormant. While these features are open for use with the Hey+ wristband, MiFit simply refuses to enable NFC features for accounts registered outside of mainland China.
On this, perhaps, I will end.
All of the above is based on personal experience and logical conclusions from it.
And the conclusions are as follows: you should not expect the appearance of payment systems in the class of cheap fitness trackers, even with a built-in NFC chip. Even in light of the news about the imminent launch of Mi Pay in Russia. If the same Mi Pay appears in the future on one of the Mi Bands not yet presented, then not before it is tested in China's native domestic market. And there is no talk about it yet.
I hope this article will be useful to the community, and the Runet as a whole. Healthy criticism is welcome.
Source: habr.com