Well hell if we're going that far, I think the perpetrator will have a whooole lot more to worry about than simple theft.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I don't trust Apple pay
- Thread starter nouveau-apple
- Start date
- Sort by reaction score
Well hell if we're going that far, I think the perpetrator will have a whooole lot more to worry about than simple theft.
I also use cash for most of the things we buy, I always ask for the "cash" discount and most times I receive one. We do use a debit card about 12 times a month (needs to be 12 times to get the 2.5% interest on our checking account).
That being said if my local CU jumps on the apple pay bandwagon then I will use apple pay.
In the US it's pretty common at a restaurant for an employee to take your credit card (away from your view) and go swipe it at a register.
My question is, is there any security or system in place that would prevent them from pulling out their iPhone and adding my credit card to their apple pay?
I'm just curious because if they write down my credit card information, they are just limited to online stuff as most places won't run a card without it being physically present. But with Apple Pay they won't need to physically show the card. So is there any sort of verification the person processing the payment can do on an NFC transaction?
My question is, is there any security or system in place that would prevent them from pulling out their iPhone and adding my credit card to their apple pay?
I'm just curious because if they write down my credit card information, they are just limited to online stuff as most places won't run a card without it being physically present. But with Apple Pay they won't need to physically show the card. So is there any sort of verification the person processing the payment can do on an NFC transaction?
I never thought of that!
But is this feature limited to credit cards? What about debit cards?
Need billing info to enter card in phone. And fingerprint to verify transaction.
Couldn't they then ask to see my license/ID which shows my address, then attempt to add my card to their apple pay?
And how would me adding a fingerprint to my iPhone prevent them from adding my card to their iPhone?
Until restaurants in the US start 100% processing payments at the table instead of taking my card away from my view, I'm still concerned with them adding it to their apple pay. If all they need is billing information, then they could just see my ID to verify my card belongs to me and memorize the address, then go back and add it to theirs.
I don't trust Apple pay
I think it should be a two step verification process, along with the fingerprint and/or Touch code from your phone, a drivers license or state ID with a picture tied to your account should also be required.
I think it should be a two step verification process, along with the fingerprint and/or Touch code from your phone, a drivers license or state ID with a picture tied to your account should also be required.
When do you ever give your license or ID at a restaurant? You leave a credit card in the bill fold and they take it away and come back with the receipt to sign. They have nothing but your credit card. They cannot add it to Apple Pay. Even if they could and did, once you saw the fraudulent charges on your statement, you would have your card re-issued and the old once canceled. You would not have to pay the fraudulent charges. Its not any different now, where the waiter could go directly to a computer in the back with your card and go online and make a purchase. Anything is possible, but if someone is going to commit credit card fraud you would think they would not want the evidence pointing directly to their phone, and all the device numbers and GPS in that phone that definitively tie a phone to a transaction. And the bank can shut it down instantly once you report it.
Exactly. They are far more likely to take a picture of the front/back of your CC than they are to add it to Apple Pay.
Why? What's the point? Security is built in already. The whole point is to not show your personal information to some stranger at the cash register. There is already multi-layered verification. 1. the token; 2. the cryptogram (which ensures the token is connected to your device); 3. the mapping to your credit card account at the card issuer; 4. your fingerprint.
Why do you need a picture ID at that point? It does nothing to enhance security and in fact decreases the security of your personal information.
Man, Apple has lots of education to do. People do not get something new. Major banks, VISA and MasterCard have already deemed this to be the most secure method on the planet to use credit cards. And they got a lot more on the line to worry about than you.
Last edited:
It will take more than just more education as there is a huge lack of trust in big banking and government that Apple will NOT be able to overcome, even with YOUR help. They deserve this lack of trust in my opinion and consumers will remain untrusting.
Exactly.
It seems a number of people are really getting tied up with what possible holes might exist in Apple Pay and utterly forgetting how insecure the current system is in the US.
Reminds me of the phrase:
Don't let Perfect be the Enemy of Good.
----------
All of which is irrelevant to Apple Pay; unless you go live off grid on the back side of lonely mountain, banks and government are involved in your life.
Well that leaves the status quo. And we know that is no good - hence, Target and Home Depot. So it seems the better option is to leave the status quo behind and welcome the world of tokenization, where your credit card data isn't displayed for the world and hackers to see.
Have you never ordered an adult beverage at a restaurant? They always ask me for ID and they usually stare at it for 20-30 seconds. Easily enough time to memorize just the street address, then they can google the rest.
I realize I wouldn't have to pay for fraudulent charges and I realize that this is unlikely to occur. I'm just saying that while I feel Apple Pay is a great option to pay, I'm concerned that if somebody wanted to, they could add my card to their apple pay account without me knowing. And I also realize they could take a photo of my card now and make an online purchase, but even with online purchases they also need a billing address.
Now of course once all transactions are completed at the table, this will no longer be a concern.
EDIT:
In addition to the above, on Apple's site it says: Apple doesn’t save your transaction information. With Apple Pay, your payments are private. Apple doesn’t store the details of your transactions so they can’t be tied back to you. Your most recent purchases are kept in Passbook for your convenience, but that’s as far as it goes.
https://www.apple.com/iphone-6/apple-pay/
So if somebody was going to put fraudulent charges, Apple Pay would be best to do it in a store in person in my opinion, because if somebody orders something online and it's shipped to a different address, that may flag something for a credit card company. But, in store in the same city I live in or same state even, my credit card company wouldn't likely catch it, and unless I'm constantly monitoring, I wouldn't likely know for awhile.
Last edited:
For Touch ID to work. The finger needs to be alive. Cut off dead fingers won't unlock Touch ID.
All you need to do is read your monthly statement -- constant monitoring is not required. There is definitely no additional danger with Apple Pay and credit card fraud than the current system. In fact, it is much much much much much much less with Apple Pay (did I say much)?
Unless a criminal is really stupid, they are not adding someone else's card to their easily traceable phone. Moreover, a phone is tied to an individual via the phone number, etc. So I'm pretty sure that you can't add a credit card, that is not yours, to your phone. The bank will ask for much more verification at that point, before releasing a token and likely not enable Apple Pay for that card. Particularly if the card is already in the Apple Pay system for another device.
And I'm too old to get carded at bars/restaurants.
Actually, the process of adding a card to a phone is more complex than just having someone else's card in your hand and putting it into your own phone. The process includes:
"Additionally, as part of the Link and Provision process, Apple shares information from the device with the issuing bank or network, like the last four digits of the phone number, the device name, and the latitude and longitude of the device at the time of provisioning, rounded to
whole numbers. Using this information, the issuing bank will determine whether to approve adding the card to Apple Pay."
Also:
"Additional verification:
A bank can decide whether a credit or debit card requires additional verification. Depending on what is offered by the card issuer, the user may be able to choose between different options for additional verification, such as a text message, email, customer service call, or a method in an approved third-party app to complete the verification. For text messages or email, the user selects from contact information the bank has on file. A code will be sent, which the user will need to enter into Passbook. For customer service or verification using an app, the bank performs their own communication process."
So if the issuing bank sees a phone number that is not connected to you or a device that is not connected to you, it will likely trigger the additional verification procedures (particularly if your card is already registered for Apple Pay):
See iOS Security Guide October 2014:
http://images.apple.com/privacy/docs/iOS_Security_Guide_Oct_2014.pdf
So are we all cool with Apple Pay now?
Thank you, I wasn't aware of this document. Yes this is much more clear now and I appreciate that you provided this. My concerns are definitely less now, if not eliminated.
So essentially Apple has left it up to the banks/card issuers to decide. So now if this happened, then my bank would be the one to place the blame on.
Thanks again.
Thank you! I spent, not long enough apparently, trying to sift through all the garbage Google Search results to find this information.
You already have to deal with those big banks if you use a credit card in any capacity. If you don't use one, then Apple Pay isn't aimed at you.
30 seconds?!?! Are you being served by someone illiterate or are you just a bad judge of time? I've never, not once ever, had someone glance for longer than the 1-2 seconds it takes to see my birthdate and move on.
Why are people even doubting this? Do you think a thousand banks and Visa, MasterCard would sign up to this if it wasn't secure?