2016 LOGO Comparison Between Apple Pay and Ali Pay Zhu Liang Li Zhihao Xu Chuchu slide to unlock
LOGO 1 2 3 4 5 6 7 8 9 Enter Passcode Emergency Cancel ABC DEF GHI JKL MNO 7 PQRS 8 TUV 9 WXYZ Emergency Cancel
CONTENTS LOGO Introduction Security Authentication Communication 1 2 3 4
Introduction of Apple Pay A tokenized NFC payment method Payment information flow from iPhone to merchant, acquirer bank, payment gateway and issuer bank by layers. High security by using token and other secure units. Acquire PG Issuer Merchant Customer NFC & Touch ID 2.Payment is Verified by layers 1. Customer uses Apple Pay Apple Pay Procedures
Introduction of Ali Pay Online QR Method Ali pay play the role of intermediary Create E-wallet and control cash flow The login password and payment password are not same All the payment based on Internet Double Password Third Party Scan QR code to pay to other Let merchant scan customer’s QR code to start a payment procedure
Apple Pay Security Major Technology Use token represent the card No. Token is save in Secure Element in iPhone The convert from card No. to token is irreversible Key point is Touch ID Tokenization
Apple Pay Security Core Units in iPhone Secure Unit Function Secure Element Core, save token, prevent physical attack NFC Controller Router, connect POS SE and AP Passbook Show card and transaction information Touch ID Gain fingerprint Secure Enclave Provide secure environment in iPhone Apple Pay Server Manage card and account, communicate Core Units in iPhone Secure communication between Secure Enclave and Touch ID Secure communication between Secure Element and Secure Enclave
Apple Pay Security Apple Pay Secure communication between Secure Enclave and Touch ID Attacker Application Processor Touch ID Secure Enclave Session key shared by Touch ID and Secure Enclave Based on AES–CCM algorithm
Key distribute to SE in production period Apple Pay Apple Pay Security Secure communication between Secure Element and Secure Enclave Attacker NFC Controller and Application Processor Secure Element Secure Enclave Can not use session key Key distribute to SE in production period Based on AES algorithm
Apple Pay Security Prevent from replay attack Dynamic Security Code Device Account Number Payment Network Verify DSC
Apple Pay Security Security threat of Apply Pay SE Touch ID SE module is damaged Security threat of Apply Pay Touch ID Touch ID is Jail-broken Third Party App Unauthorized Application leads to threat
Encryption of exchanged message behind the QR code Ali Pay Ali Pay Security Security demand of Ali Pay Confidentiality Integrity Non-repudiation Encryption of exchanged message behind the QR code Use hash function to secure the integrity of exchanged message Use digital signature
Ali Pay Security Ali Pay Security threat of Ali Pay The payment procedure is all online may leads to secure information leak Online cause security threat If the QR code is stolen, attacker can easily attack your e-wallet, although the QR code has timelineness about 5 min Steal of QR Code
Ali Pay Third Party threat Authorization Continued As a controller, Ali Pay may become the bottleneck of whole payment procedure Third Party threat When customer scan other QR code for payment, the authorization about the QR code need to strengthen. Authorization
Authentication LOGO How Ali Pay achieves authentication 1 How Apple Pay achieves authentication 2
Real Name System Of Ali Pay Real Name Registration Customers are divided by three types. Corresponding user authentication requirements are provided for different client types. Account Type Payment Service Payment Limit Authentication Method Type 1 Consumption Transfer 1,000 RMB In total At least one online authentication channel Type 2 100,000 RMB/ a year Face-to-face authentication/ At least three online authentication channels Type 3 Investment 200,000 RMB/ a year Face-to-face authentication/ At least five online authentication channels Real Name System Of Ali Pay
Real Name System Of Ali Pay Real Name Registration Users need to provide different types of information to the system to help them be classified three categories, including filling a personal information questionnaire, uploading a photo of their identity card, banding bank card, etc. Ali Pay keeps user’s user name, gender, address, contact means and state ID number on file. Real Name System Of Ali Pay
Using NNL S3 Authentication Suite Ali Pay Fingerprint Authentication Ali pay uses Nok Nok Labs S3 Authentication Suite to enable secure online payments by using the Fingerprint Sensor (FPS) technology. The S3 Authentication Suite is the only authentication platform that supports the entire FIDO authentication modes including the passwordless mode and the password augmentation mode. Using NNL S3 Authentication Suite
Using NNL S3 Authentication Suite Ali Pay Fingerprint Authentication The NNL S3 architecture features: An NNL Multifactor Authentication Client (MFAC) using an abstraction layer. Authentication for Web applications achieved by using a JavaScript library that communicates with MFAC which using a browser plug-in. Authentication for mobile apps enabled by integrating with the NNL Mobile App SDK. Using NNL S3 Authentication Suite
Using NNL S3 Authentication Suite Ali Pay Fingerprint Authentication The NNL S3 architecture features: MFAC communicates to MFAS using the Universal Authentication Framework (UAF) protocol allowing MFAS to interoperate with any FIDO Ready device and authentication method. MFAS can be deployed in different environments and it provides Web and mobile applications with REST API endpoints to handle device registration. Using NNL S3 Authentication Suite
Apple Pay System BI Intelligence
Authentication Of Apple Pay How Apple Pay Achieves Authentication Data authentication: An emerging form of tokenization increases security of transactions made within apps & in-store. Device authentication: Each Apple Pay transaction has a unique value to ensures that the transaction is coming from an authorized device. User authentication: Apple requires the user’s bank to have an additional user authentication system. In addition, Apple Pay requires fingerprint authentication through Touch ID. Authentication Of Apple Pay
Mobile payment Communication LOGO Mobile payment Communication NAME Ali Pay Apple Pay Position Communication QR Code NFC
QR Code in Mobile Payment Ali Pay QR Code Scan and Pay 1.Merchant uses the reader machine to scan user’s QR code in smart phone to finish payment. 2.User opens Ali Pay app on smart phone and scan the merchant’s QR code to finish payment. QR Code in Mobile Payment
Apple Pay NFC Touch and Pay Users put the electronic device close to the Pos machine which embed NFC components, then the payment can be finished at once. NFC in Mobile Payment
QR Code Ali Pay Active read mode Advantages Disadvantages 1.User opens Alipay app 2.Scan merchant QR code 3.QR code is recognized 4.User confirms payment information 5.App sends payment order to the payment system. 6.System sends the feedback results Active read mode Mobility Accessibility Fast transaction speed 1.High cost of merchants’ device 2.The app can be only downloaded on smart phone with the special system Advantages Disadvantages Passive read mode 1.User opens Alipay app 2. Merchant scan user QR code 3.QR code is recognized 4.Merchant sends the payment request to the payment system. 5.System sends the payment confirmation to user 6.User confirms payment information and sends it to the payment system 7.System sends the feedback results
NFC Active mode Advantages Disadvantages Passive mode Apple Pay Initiator and target devices will generate their own field alternately. The field of one device will be activated while sending data, its field will be deactivated while waiting data. Active mode Low power consumption High bandwidth High Security level Fast connection speed 1.Communcation range is short 2. Slower transmission speed compared with bluetooth. Advantages Disadvantages Passive mode Initiator device will generate a field, target device will modulate this field and response, obtain power from RF field of initiator device.
THANK YOU