Rabobank rolls out mobile wallet

Rabobank rolls out mobile wallet

Rabobank has rolled out a mobile wallet on the embedded Secure Element of Samsung Galaxy S4 and Samsung Note 3 phones.

Dutch consumers are now able to use their smartphones to pay for their shopping, check balances, store loyalty cards and to redeem digital vouchers via Near Field Communication (NFC) in shops that are equipped with contactless terminals.

Contactless payments are available at around 66,000 retailer terminals in the Netherlands, and the Dutch bank claims to have 150,000 customers who have downloaded its banking app on the Samsung devices.

The commercial launch of the wallet follows an NFC payments pilot in the Dutch city of Leiden conducted by Rabobank in association with ING and ABN Amro.

Some 1000 consumers and 180 businesses took part in the trial, in which 2000 NFC payments per week were made with a total value of about €20,000.

Rabobank, which is using technology from Giesecke & Devrient to secure transactions and upload new applications to consumer phones, is the only bank to so far commit to a full-scale roll out.

The bank was a leading participant in the Dutch Sixpack alliance with the country's top telcos, which shut down three years ago over differences in costs and timing. By using the Samsung SE, Rabobank is able to bypass telco SIM cards altogether.

Comments: (9)

A Finextra member
A Finextra member 12 February, 2015, 13:31Be the first to give this comment the thumbs up 0 likes

Good effort by Rabobank, although the embedded secure element model will limit the scalability of this offering to customers with other mobile devices. I hope they will make the switch to cloud-based mobile payments to enable the service on a large majority of Android devices.

Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 12 February, 2015, 17:17Be the first to give this comment the thumbs up 0 likes

I take a different view from Andre Stoorvogel. The convenience tradeoff with cloud based wallets is too great. With smart phone penetration around 70% and in two years time, Secure Elements and TEE expected to be at similar rates of availability, we should indeed be using local, user owned hardware security. Secure Elements do scale insofar as they are apporaching ubiquity. We don't put EMV cards or ATMs "in the cloud". All serious payments security rests on local hardware based cryptography (see http://lockstep.com.au/blog/2014/03/26/uniform-approach-cnp) and mobile payments should not be any different. 

See also 

A Finextra member
A Finextra member 12 February, 2015, 18:23Be the first to give this comment the thumbs up 0 likes

Stephen, the problem is not the availability of secure elements, it's about who owns the secure element and how to get access to it. This has been a struggle for years and one of the main reasons why mobile payments have not been taking off yet on a large scale. A secure element in the cloud solves that and I believe that in combination with EMV tokenization, it is a much more attractive alternative to the costly and complex model of an embedded secure element (atleast for Android).

Shane OHara
Shane OHara - AXLPay Mobile Payments - London 12 February, 2015, 18:35Be the first to give this comment the thumbs up 0 likes

Whilst I see the attractiveness of the SE model, I cannot agree with Stephen Wilson. The statement about putting EMV cards and ATMs in the cloud does not really hold much meaning ... EMV cards are in the cloud in the sense that in spite of local cardholder verification, the vast majority of transactions are online and authenticated as a complete transaction on the issuer side. The advantage of cloud based operations outweighs the SE model in that the Issuers ability to make an informed decision to approve/decline is enhanced by the cloud data passed to it (eg, token passed to phone at time hhmm, geographical location patterns as expected etc etc). Further the cloud allows card processors to enhance EMV through usage of cryptography of their own within discretionary components of the authorisation message. The cloud allows far better control when it comes to hosting your wallet on multiple devices.  All routes have their challenges - but its probably a given that we are heading towards ever greater connectivity, not isolated behaviour. 

A Finextra member
A Finextra member 12 February, 2015, 19:29Be the first to give this comment the thumbs up 0 likes

Seems that the major networks are already embracing the notion of cloud-based credential delivery systems, especially when the actual credentials are tokenized.  One thing learned from the Softcard activity in the States, avoid chokepoints controlled by others whenever possible.  Stephen may well be correct about the incremental security, but at what cost?

A Finextra member
A Finextra member 12 February, 2015, 20:572 likes 2 likes Two years ago Samsung was positioning it's embedded secure element in the S4 as a SIM SE replacement and pre loading the Visa and MasterCard apps. Two Australian banks CBA (MasterCard) and Westpac (Visa) launched solutions around a year ago. What happened next? Samsung dropped the embedded SE from the Galaxy S5 everywhere except Australia as Google confirmed HCE in Android 4.4. So if you're a Rabo customer and you've got an old Samsung device your're in luck. If you're looking for a service that will roll out on multiple devices you may prefer to look elsewhere. The impending launch of "SamsungPay" may deliver a new twist to the story but my guess is that this is either a very late project delivery, a strange strategic move to get something to market after the demise of six pack or some brilliant insight based on Samsung strategy that isn't yet public.
A Finextra member
A Finextra member 13 February, 2015, 09:47Be the first to give this comment the thumbs up 0 likes

As Martin and Douglas so clearly point out, the phone producers are a moving target for payment providers - who knows when they make a change that brings down the service or makes it insecure? I guess Rabobank would like to win some experience and show some commitment to phone producers. With regards to security the SE is probably good for secure storage but once there is a screen, keyboard and payment app involved,  malware can control anything that goes between the app and the secure element. This is why all payment apps must be able to defend themselves against malicious code injection.

A Finextra member
A Finextra member 18 February, 2015, 12:22Be the first to give this comment the thumbs up 0 likes

I suspect Martin, it's the result of one of your first two guesses. It's a pity that device features and characteristics vary from territory to territory then again by what the major operators want from them (e.g. dual SIM slot offerings for some areas but not others etc). The problem arises with any device centric solution or feature; it's only temporary and then quickly succeded it seems every six months with new device launches. Lifting the solution out of the device architecture dependencies and up to the platform instead (OS or cloud) offers much more device reach and user freedom, surely.

However, I'm always a keen advocate of experimentation and piloting and the operational and implementation learnings the business take away from this. Whichever way it works for Rabobank much will be learned and understood for the good.

Shane OHara
Shane OHara - AXLPay Mobile Payments - London 18 February, 2015, 18:571 like 1 like

Agreed Marcus. Cloud contact with a device allows closer contact.. ie closer scrutiny by the issuing side and hence protection against fraud. With frequent token cycling and p2pe the bones of good longer term solutions are there. My biggest concern is that with the proliferation of solutions being put into play, whilst most will be robust, some will be, inevitably, weak and when exploited, public confidence will be rocked.