Tyson Moore said...
Your Presto card, like your credit cards, uses an ISO standard 13.56 MHz RFID technology. If you have a PayPass/PayWave card, you can tap it against your phone and it should produce the same response.
Unfortunately, implementing something like Presto on a mobile device is much more difficult than a credit card for three reasons: security, compatibility and synchronization.
Security
Basic RFID cards (Prox, for example) just spit out a unique string. Cards like MIFARE Classic allow near-instant reading and writing to the card, but still retain their unique serial number.
The Presto card goes one step further, and runs a (surprisingly complex) processor that accelerates cryptographic operations; these cards are MIFARE DESFire (DES standing for Data Encryption Standard, which is a misnomer because some Presto cards actually uses AES). This means that each file on the card is protected by one or more keys, required to read or change the card's data.
If - as some people are suggesting - one's phone was able to update their Presto card, the keys would have to be distributed with the app. If somebody was to discover this key (which is not difficult to do, see Snapchat), they would essentially be allowed free reign over the card, and could process false transactions, etc.
Compatibility
The iOS NFC API has not been exposed to developers; this makes an iOS app a non-starter. Android 4.4 has enabled card emulation in the NFC API, but DESFire isn't standards-compliant. Any support of NFC-based Presto usage would almost certainly require a firmware update for the Presto readers. Can you imagine all the hours of development and QA work involved? I'd rather stick with what we've got than face another fare increase.
Synchronization
Presto is a decentralized system; the fare payment devices update periodically. Having to tap your Presto card against your phone to synchronize them would eliminate the benefit of NFC. The credit card companies overcame this by issuing
tokens instead of the actual card number; the tokens can be issued and revoked arbitrarily with no effect on the card itself.
Of course, credit card processing is
online; the credit card terminal authorizes the payment immediately. This is simply not possible without a
huge infrastructure change to the entire Presto system. There's a reason some other cities have not done this: it becomes prohibitively expensive and opens a whole new can of worms.
It's worth noting at this point that there's a convenience issue to this as well: what if your phone's battery dies during a trip? What if you have to factory reset it? What if you accidentally wipe the secure credential store, or if you delete the Presto app? Your card goes into underpayment (or disappears entirely), and I don't need to explain the kind of pain that causes.
--
To conclude this novel of a comment, it would certainly be possible to use NFC for payments, but the current technological restrictions make it unfeasible at the present time. I hear and see complaints all the time of having to wait for cards to load, but it's a necessary evil of the decentralized system. It's even worse in London: you have to nominate a station to have your load/refund processed at; that information doesn't propagate through the Oyster network.
While I'm hopeful for the future, I certainly don't want my tax dollars being spent to solve these problems unnecessarily. Sure, it would be nice not to have to carry a Presto card, but have we eschewed physical credit cards for Apple Pay/Google Wallet? As long as the answer to that question is "no", I doubt we'll have phone-based Presto cards.
And if anybody from Metrolinx reads this, I'm a student looking for a co-op job
