Chase: Over 1 Million Wallets Provisioned on Apple Pay

kdarling · Feb 25, 2015

gnasher729 said:
It's still impossible for Google to do it the way that Apple did. Apple had to add hardware to the iPhone 6 for one feature that to me is essential: All the security critical work is done inside a chip that Apple itself cannot access, and if Apple cannot access it, then no hacker and no rogue app can possibly access it, even on a jailbroken phone.

There are some basic misconceptions here.

A Secure Element has to be externally accessible in order to be provisioned and updated. In NFC-speak, this is done by the TSM (Trusted Service Manager). They hold the keys to the kingdom.

In early NFC wallets, it was the carriers who acted as (or contracted out) the TSM role. That's why Google was screwed. They could not install their app in the Secure Element without carrier approval and action, and the carriers wanted to block Google in order to promote their own wallet.

In Apple Pay, Apple is acting as a TSM, since provisioning and updates go through their servers. So yes, Apple can definitely access the SE.

So there is no way that Apple or anyone else except the bank learns your credit card number,

Apple sees the credit card number, expiration, and CVV during user card registration, and they see the token coming back, but they say they do not keep the full numbers.

and there is no way that anyone can charge a card on your phone without you using TouchID.

TouchID is not necessary to use Apple Pay. The device passcode works too. TouchID is a convenience shortcut, not part of the transaction itself.

It's just as impossible for Apple to do this on an iPhone 4 or iPhone 5 as it is for Google on _any_ Android phone.

It's impossible (*) on previous iPhones because they didn't have a Secure Element or NFC transceiver.

However, many Android devices have had one or both for years. Heck, an onboard Secure Element is what Google Wallet used from 2011-2014, because at the time that was the only NFC payment standard. Apple didn't invent that.

Now, some NFC devices (not just Android and not just phones) in the world just have an NFC radio, and the onboard Secure Element comes inside a carrier supplied SIM chip. After all, that's what a SIM is: a Secure Element where Java applets execute to allow access to networks. Adding payment applets and hardware is an extension of basic SIM functionality.

In fact, using a SIM to provide the Secure Element was quite popular at the beginning of NFC in phones/tablets, because again that meant the Secure Element was under carrier control. This method is even used today with NFC capable LTE devices, for Softcard.

IIRC, the Android OS itself currently allows all variations: a built-in SE, an SE in a SIM, or an SE-in-the-cloud, although Google Wallet currently only uses the last option. Of course, now that Google has removed the carrier block... and even gotten carrier buy-in... any method will be possible.

(*) It's not really impossible on any device, as there have been SIMs that include an NFC radio as well. So in theory even the oldest iPhone could have Apple Pay if Apple wanted to support that route.

tmiw · Feb 25, 2015

macduke said:
I've only used it a few times but it was kinda fun and simple to use. Retailers are going to be the biggest roadblock to this with them wanting to collect every last piece of information about us. That's why I'm worried Google will ultimately win: they will give them everything for market share because they are market share whores. Even though they make more money off of iOS users than Android, they still keep at it.

There's still enough people who have no problems scanning or entering a loyalty card for every purchase that they'll still have the tracking they so desire.

ViperDesign said:
I never understood why people like you say this, do you understand that all of the phone companies except TMobile blocked their application? Do you understand that you can't get a foot in the door if they keep it locked and guarded 24/7?

Sprint was the sole carrier that allowed Google Wallet, not T-Mobile.

b0nd18t said:
In my area apply pay can hardly be considered a success. Vast majority of retailers don't support it. Even ones that do only work part of the time. Employees have no idea what it is, and if I do successfully use it the employee almost always says "oh wow what's that?" which means I'm the first to use it.

I'd say it works 10% of the time for me, but that has been going up.

BTW, some places with it on don't even have the logo. Rubio's and Fuddrucker's for example just have four dots on the screen (one green, 3 clear) which all turn green after the iPhone verifies you via Touch ID. Hopefully this helps with finding additional places that accept it.

----------

Jeff Meredith said:
The 42% figure of small merchants from Chase is pretty critical.

Using the Mobile Pay Finder App I have seen Tattoo Parlors, Chiropractors, Doctors, Eye Doctors, Dentists, Hair Salons, Mechanics in Denver who all have the capability to use Apple Pay. They might not even know it because they updated their credit card tech in normal course of business.

And many restaurants are now taking to go orders using Chow Now, Foodler and the like in apps, let alone Starbucks and Target in App.

So there are a lot more than Whole Foods, Walgreens, Paneras and McDonalds.

Here are new ones to try. FireHouse Subs, Pollo Tropical, Taco Cabana, Big 5 Sports, Savers, Tim Hortons, Dairy Queen and on its way Ikea, Cabelas, Pep Boys.

If you look for it, you will find some and they are getting easier to find.

Also, anywhere that has a First Data PIN pad on the customer side of the counter will likely have NFC enabled:

(You may need to push Sale on it and have the clerk enter the amount before the NFC reader turns on.)

I haven't been able to confirm it but if the chip slot's turned on as well you may be able to use Apple Pay without ever having to sign or enter a PIN, regardless of the transaction amount.

Karma*Police · Feb 25, 2015

GucciPiggy said:
Not sure why you feel the need to jab at the competition for something that's not their fault.

I realize this is a Mac/Apple site, but the fanboyism on these comments is out of control.

Google Wallet was a good idea, the execution might not have been perfect, but Google's working on fixing that now. Another proof that competition is necessary.

Google Wallet was a good idea but not novel. Asians have been using their flip phones to pay stuff for years. They rushed it to market (most likely to counter the heavily rumored iPhone with NFC that never materialized) without the proper infrastructure and support and it flopped. Ideas are plentiful. It's the execution that matters.

groovyd · Feb 25, 2015

Just got an email AMEX is sending me a replacement card with a chip on it. This will be my first chip card. I don't really get how it is any more secure then the strip to be honest. All of the account nefarious activity I have ever been the target of was always due to someone re-using my credit card data entered on web store order forms directly by number. This is the 99.9% case, where you enter your card into a web store to purchase something and someone in the company gets a hold of the number. Chip, strip, touch, none of that matters really in the grand scheme of things until web stores no longer take your credit card numbers directly on order forms.

sumsingwong · Feb 25, 2015

groovyd said:
Just got an email AMEX is sending me a replacement card with a chip on it. This will be my first chip card. I don't really get how it is any more secure then the strip to be honest. All of the account nefarious activity I have ever been the target of was always due to someone re-using my credit card data entered on web store order forms directly by number. This is the 99.9% case, where you enter your card into a web store to purchase something and someone in the company gets a hold of the number. Chip, strip, touch, none of that matters really in the grand scheme of things until web stores no longer take your credit card numbers directly on order forms.

US banks still include the mag strips because US retailers still use POS that require mag strips. Otherwise, they would be losing card usage. The chip is added for convenience when travelling abroad because foreign merchants have moved to chip POS. The card with both chip and mag strip isn't anymore secure that one without a chip. The only way to make the card more secure is to remove the mag strip and just have the chip which can't be skimmed if a PIN is needed.

groovyd · Feb 26, 2015

sumsingwong said:
US banks still include the mag strips because US retailers still use POS that require mag strips. Otherwise, they would be losing card usage. The chip is added for convenience when travelling abroad because foreign merchants have moved to chip POS. The card with both chip and mag strip isn't anymore secure that one without a chip. The only way to make the card more secure is to remove the mag strip and just have the chip which can't be skimmed if a PIN is needed.

as i suspected, does me absolutely no good since i would never use AMEX internationally as they charge a ridiculous surcharge per transaction for international charges.

John.B · Feb 26, 2015

kdarling said:
There are some basic misconceptions here.

Great post.

kdarling said:
TouchID is not necessary to use Apple Pay. The device passcode works too. TouchID is a convenience shortcut, not part of the transaction itself.

One correction: You can only use Touch ID for either in-app purchases as well as POS transactions, there's no interface to enter a passcode.

AllieNeko · Feb 27, 2015

groovyd said:
Just got an email AMEX is sending me a replacement card with a chip on it. This will be my first chip card. I don't really get how it is any more secure then the strip to be honest. All of the account nefarious activity I have ever been the target of was always due to someone re-using my credit card data entered on web store order forms directly by number. This is the 99.9% case, where you enter your card into a web store to purchase something and someone in the company gets a hold of the number. Chip, strip, touch, none of that matters really in the grand scheme of things until web stores no longer take your credit card numbers directly on order forms.

I will explain below why it is more secure, but you are correct that card-not-present fraud is the weakest link once chip cards are fully deployed. That said, the card number isn't that important. It is futile to try to protect the card number. Instead, dynamic data should be required in addition to the card number. With a chip card transaction, this dynamic data is in the form of cryptograms generated by the card, making it essentially impossible to counterfeit (you'd need the private keys, so you'd have to hack the bank).

Getting dynamic data in a web environment is harder. The best way to do this is to use 3-D Secure (e.g. Verified by Visa/MasterCard SecureCode/Amex SafeKey) combined with one-time passwords (sent by text or created by a token generator). This is NOT the same as just having a second password as some banks implement this. This is more of a challenge, as customer acceptance is far harder than with chip cards and thus online merchants hate it because it leads to greater shopping cart abandonment. In Europe, the networks pushed it through by simply making it an absolute requirement to support 3-D Secure. We can only hope for the same thing in the US, because short of that merchants and issuing banks don't want to be the first to hassle customers... sadly.

sumsingwong said:
US banks still include the mag strips because US retailers still use POS that require mag strips. Otherwise, they would be losing card usage. The chip is added for convenience when travelling abroad because foreign merchants have moved to chip POS. The card with both chip and mag strip isn't anymore secure that one without a chip. The only way to make the card more secure is to remove the mag strip and just have the chip which can't be skimmed if a PIN is needed.

This is completely false. The magnetic stripe of a chip card cannot be used at a properly set up chip-enabled terminal (Walmart does allow the magnetic stripe to be used, but that's insecure). Thus, the more merchants have chip enabled terminals (which will happen this year in the US), the fewer places there are to use a skimmed magnetic stripe, and the more secure the system is. Will there be places to use a skimmed magnetic stripe for a long time yet in the US? Yup, but they'll be increasingly few and far between - and they'll represent increasingly low-value (and thus low-reward) transactions. PIN has nothing to do with this, PIN is to protect against physically lost cards, the chip protects against counterfeit or skimmed cards. In most countries, both security measures were introduced at once, but in the US most banks are issuing chip without PIN first.

PBRsg · Feb 27, 2015

bbeagle said:
McDonald's is the best restaurant in the world then. Yep, makes sense going by market share.

And the Honda Cub is the best motorcycle in the world!

Search

Search

Chase: Over 1 Million Wallets Provisioned on Apple Pay

kdarling

macrumors P6

tmiw

macrumors 68030

Karma*Police

macrumors 68030

groovyd

Suspended

sumsingwong

macrumors 6502a

groovyd

Suspended

John.B

macrumors 601

AllieNeko

macrumors 65816

PBRsg

macrumors 6502

Our Staff