Making payments with an implant


#1

Payment is a tricky thing… I mean, what is a payment? Transfer of value… well that can mean many things. For example, students get an ID card they can use for transit and around campus for food, access, snacks, etc. Those cards typically tie into their bank accounts or get “topped up” using a credit card… and they are being used to make various forms of payment around campus and in the outside world. The same goes for many types of loyalty cards, ride share car access, or other types of transit. These are all forms of payment, and in some cases those cards can be cloned to an implant, or made implantable directly.

If you’re talking about the typical “tap and pay” type of interaction that happens at pretty much any EuroPay, MasterCard, or Visa enabled payment terminal, then you are talking about EMV payment. With EMV comes complexity in both chip technology used, and the plethora of standards, certifications, and outright brown-nosing and what essentially amounts to bribery that must go on in order to get your seat at the table. Many companies work for years and spend upwards of a million dollars just to get their otherwise ready-to-go payment products into the EMV market.

EMV - EuroPay MasterCard Visa

The idea of cloning your payment card into an implant is a common question, but the reality is that’s not going to happen either. The chips used in payment cards are far more sophisticated than those used in simple RFID or NFC devices. Like our VivoKey project, they employ cryptographic processors to enable secure communication between card and reader, and protection of those cryptographic keys is no joke… they require serious high security facilities to even handle the cards when they are programmed with account data (called “personalization”). Regardless of that fact, you can simply use a payment terminal to spit out decrypted payment data from contactless payment cards… but you still don’t have the keys required to encrypt payment data in a way that will allow terminals to read it.

In short, the only real legit way to make EMV contactless payment work is to comply with EMV requirements and pay to play their game. It’s something we have considered, and continue to explore.

PayPal, Venmo, and other “alt” payment technologies

When it comes to alternative point of sale payment technologies, PayPal is making an effort to plant itself into the payment terminals of various stores, and solutions like Venmo are proposing an “out of band” payment solution which allows customers to pay vendors through a mobile app. In this case, there was a lot of “buzz” (pun!) generated when a Buzzfeed reporter implanted an xNT chip to make payments using Venmo. While it is very interesting, it was a complete hack job that required participation from a former Venmo engineer and the vendor, wherein the end result was a completely insecure method to prove it could be done. The reporter’s Venmo wallet key had to be given to the vendor to make the transfer. Therefor the wallet key had to be stored insecurely on the xNT, and the solution would never work in the real world because everyone you did business with would have a copy of your wallet key. Still, it’s very interesting.

Until Venmo or PayPal or other payment stakeholders become interested in implant technology, these solutions will be edge cases and proofs of concept only.

Bitcoin & Cryptocurrencies

Blockchain technologies like Bitcoin work differently from typical payment schemes in a very significant way. It’s not called out often… in fact, I’ve never heard this comparison explained before, but it is critical to the future of all payment. Blockchain is a mathematical construct wherein all users have “wallets” and those wallets are simply a pair of keys - a public key and a private key. If you don’t know what PKI is, you might want to read up a bit first. The public key is used by everyone “the public” to send bitcoin to that wallet “address” (the public key is the wallet’s address on the blockchain network). All private keys are kept private (obviously) because they are the only keys that can be used to send bitcoin from wallets. A transaction that transfers bitcoin from one wallet to another is crafted using the private key of the sending wallet, the public key of the receiving wallet, and the amount to be sent. That transaction is cryptographically signed and sent to the blockchain network for validation (the sending wallet has bitcoin to spend) and processing (addition of the transaction to the blockchain ledger).

The important thing to note here is that the sender crafts the transaction and pushes the money to the receiver. This type of transaction models how cash works. When you buy something with cash, you don’t hand your wallet over to the vendor and trust they only take what is owed. It’s important to understand that cryptocurrencies model how cash works during a transaction… where the receiver asks for an amount and the sender is tasked with transferring the proper amount to the receiver… and the private key used to do that is kept private… the vendor never sees or has access to the one piece of information that would open your entire wallet to them (or anyone else who happened to get that key).

Currently, in just about any other type of digital commercial transaction where banks and/or cards are involved, the exact opposite is true. You expose your one and only “key” (your credit card or bankcard number) to every single vendor you do business with, effectively handing over your entire wallet to them, and hope they only take what is owed, and pray they protect your account data somehow so nobody else can get access to it and empty your bank account or rack up a ton of credit card charges. It’s like leaving a copy of your house key in every door you’ve ever walked through. It’s completely stupid, outrageously expensive to police, and it’s the only way banks and the “card” industry works at the moment.

VivoKey

VivoKey is fundamentally different from other implantable RFID or NFC tags. VivoKey is a complete java card cryptography platform. You can load and run java card apps on VivoKey, including Bitcoin wallet apps. Many people have chosen to store their bitcoin wallet private keys on their xNT, flexNT or flexDF, however this is just a backup measure. The implants are doing nothing more than storing data. The VivoKey can actually generate Bitcoin wallet keys and process transactions internally. This means it will never be necessary to expose the wallet’s private key to an insecure platform like the mobile phone or computer in order to craft and sign a bitcoin transaction. Not only can you keep your bitcoin wallet keys safe inside you, you can also perform bitcoin transactions inside you!


Which is best for doing payments and more?
I dont deserve the help
Suncorp PayWave using RFID?
RFID question from a complete newbie
How to discover card types?