The truth about contactless payments in fitness bracelets
Recently, I quite often come across a misunderstanding of Russian users regarding contactless payments in cheap wearable electronics and the role of the NFC chip in this functionality.
All sorts of news resources play an important role in this, the authors of which thoughtlessly (or specifically, as a victim of clickbait) copy-paste each other, thinking out interesting chips. The situation is aggravated with the announcements of new devices, such as Xiaomi Mi Band 4, and news about the imminent arrival of the Xiaomi Mi Pay payment system in Russia, in cooperation with MasterCard.
With this post I would like to dispel the misunderstanding that has developed in Runet on this topic.
At the moment, contactless payment at the checkout, using NFC, can only a few types of devices:
- Apple Watch with Apple Pay;
- Smart watch based on Google’s operating system (Android Wear, Wear OS) with support for Google Pay;
- Smart watch from Samsung on Tizen OS with Samsung Pay;
- Smart watch from Garmin with Garmin Pay system; (Thanks 117 and Kobalt_x , for the tip in the comments)
- Fitbit Pay (not working in Russia) and, possibly, some more not popular options.
In general, there are not many such devices on the market, and, most importantly, the price for them will be a disadvantage for many when choosing, along with low autonomy.
A couple of years ago, models with an NFC chip began to appear on the market of various fitness bracelets and semi-smart watches. This is where it started ... Journalists confuse people with the possibility of contactless payment using Alipay, not understanding how it works, and promise the speedy arrival of mobile payments on each wrist. But there is still no parish. Users want to believe that just about, and very soon, their cheap Mi Band 3, prudently bought in the version with NFC, will replace their wallet. But alas.
The vast majority of such gadgets are manufactured in China, for the domestic market. Many with the subsequent entry into the global market. What about contactless payment in the domestic market of China? Two technologies should be distinguished here:
1. Payment by QR or barcode. This implementation of the Chinese are used everywhere. The essence is as follows. Almost every user has a smartphone with them. With a probability of 99.9%, the smartphone has “more than just a messenger” WeChat installed, with its electronic wallet, or the Alipay application - almost an electronic bank from the Alibaba group. There are two ways to pay at the checkout using these applications on your smartphone. Consider them.
1.1 The user scans the seller’s QR code using the smartphone’s camera. Enters the required amount, or it is already encrypted in the seller’s QR code. Further confirms the transaction (password or biometrics). Money is immediately debited from the buyer's wallet in favor of the seller. This method cannot be used on the bracelet, due to the lack of a camera.
1.2 The user shows the seller his QR / barcode generated by the wallet application. The seller “picks” it with his hand-held cash register scanner. The amount is also instantly debited in favor of the seller. What does a pay gadget need for this? What he has is a display and some brains. Therefore, this payment method was implemented by Alipay. A supported wearable device is tied to an Alipay application. A separate secure account is created for it in the wallet (with a limit on payment). A gadget is assigned and entered into it a static pair of codes (QR and barcode). Next, the payment is offline, without the participation of a smartphone. Transactions are transferred to Alipay servers from the store cash desk. Actually, this is the only method of paying for purchases in a store in China through such devices.
2. The great and powerful NFC. Here we’ll talk not only about payment, but also about other features of bracelets with an NFC chip. We start, of course, with payments. What comes first here? Right, Security. The same mibands cannot provide a sane level of security so that the manufacturer entrusts them with emulation of bank cards of their users. Perhaps the point is the impossibility of reliable user authorization. Perhaps in a weak gland. After all, it’s not just that the average fitness bracelet costs at least five times cheaper than the most budgetary wearable gadget, capable of full NFC payment. This is a separate class of devices in which price and autonomy come first. There is no compromise yet.
But the transport card is another matter. They usually do not roll kilobaxes and they are not tied to the bank. It’s like a pocket change. If lost - just forgot and do not bathe. In some cities there is even the possibility of paying for purchases with such a card. This is usually limited to small chain grocery stores such as 7-Eleven or FamilyMart. Just the opportunity to buy a conditional bottle of water along the way, which is also the main task of pocket change. Actually, transport cards are one of the main goals of the NFC chip in mibend-like trackers. The essence is as follows. The manufacturer cooperates with public carriers (metro, city buses). In a proprietary application, in the NFC functions section, a user buys a transport card for his bracelet. Virtual of course but for the real cost - about 20 yuan (~ 200 rubles) a non-refundable deposit and the rest to the balance (there is already the amount at the discretion). The card is recorded in a bracelet and then completely independently used to pay for travel. It’s very convenient, since no extra gestures are needed to trigger it, just bring your hand to the reader and payment is made. The map is replenished, just as conveniently, in the bracelet application, using the same WeChat or Alipay, to choose from.
Another feature that accompanies wristbands with an NFC chip is emulation of access cards. The function is useful and convenient, but, in the same China, in modern realities is rather late. I will explain why. Firstly, NFC operates at a frequency of 13.56 MHz. Accordingly, only cards with a given frequency are supported. Secondly, the point is again in safety. The bracelet can only read and correctly emulate cards without encryption and, as it turned out (thanks to the w3bsit3-dns.com forum), the length of the UID should be 4 bytes. Otherwise, even if you copy the card, the reader at the entrance door will not open you. Manufacturers act differently here. For example, the MiFit app simply will not let you copy an unsupported card. But the native application of the Hey + bracelet without a twinge of conscience copies everything that it can, but does not guarantee correct operation. As practice has shown, so insecure intercom or walk-through in China you still need to look. I have not found.
In Russia, things are better in terms of possible use. For example, users of the same forum confirm normal operation with the Moskvenok pass card and with some intercoms.
There is also another interesting opportunity - to create a “clean” card, go to the management company and register it in their system. Unfortunately, I could not test for a number of reasons. One of them did not leave me a single chance - all the same notorious MiFit from Xiaomi for creating such a card asks for confirmation of identity using a Chinese ID, which I can not have. And in general, Chinese security is on the alert. If with the Hey + bracelet these functions are open for use, then MiFit simply refuses to activate the NFC functions for accounts registered outside mainland China.
This, perhaps, will end.
All of the above is based on personal experience and logical conclusions from it.
And the conclusions are as follows: you should not expect the appearance of payment systems in the class of cheap fitness trackers, even with an integrated NFC chip. Even in the light of news about the imminent launch of Mi Pay in Russia. If the same Mi Pay will appear in the future on one of the not yet presented Mi Band, then no sooner than it will be rolled in the Chinese domestic market. And there is no talk about it yet.
I hope this article will be useful to the community, and to Runet in general. Healthy criticism is welcome.