Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Said to Be Using Tokenization Technology to Secure Mobile Payments Service

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,432
30,615



Apple may be integrating tokenization technology in its forthcoming mobile payments solution, reports Bank Innovation. Citing sources close to the matter, the report notes that the company will look to utilize token technology to address security and fraud concerns as integrates the service with the iPhone 6 and iWatch.
Financial institutions -- card issuers and networks -- prefer token technology because it replaces primary account numbers, those 16-digit card numbers on the front of credit and debit cards. Instead, the tokenization technology uses complex codes that are easily transmittable over the air and between devices, but that are used only once, so even if they are intercepted, are of no use to fraudsters.
Click to expand...
An Apple patent discussing token technology has also been discovered, as the application was granted last month and filed for in 2009. In its example, Apple discusses a token system as a method for two devices to communicate sensitive data with disposable, one-time use codes.

easypay_concept.jpg
EasyPay mobile payments concept by Ricardo Del Toro​
The report also once again discusses the NFC capabilities in the iPhone 6 and iWatch, stating that chip-maker NXP will be rolling out NFC chips to the iWatch and the iPhone 6. Apple Stores and Apple retail partners are also said to be gearing up to utilize NFC technology, as a number of retail locations will be using the NFC-enabled Verifone MX 915 terminal.

Prior reports have stated that Apple's payment service will be supported by a number of credit card companies including Visa, MasterCard, and American Express. The company is also said to be partnering with a number of retailers for the service, including Walgreens, CVS, Nordstrom, and more.

Apple is expected to announce its mobile payments solution at this Tuesday's media event, which will likely be shown off alongside the iPhone 6 and iWatch.

Article Link: Apple Said to Be Using Tokenization Technology to Secure Mobile Payments Service
 
Article Link
https://www.macrumors.com/2014/09/08/apple-tokenization-secure-mobile-payments/
S

Shirke

macrumors regular
Jan 20, 2013
124
10
Apple can you please include the sears store. I shop a lot at sears.
 
bradl

bradl

macrumors 603
Jun 16, 2008
5,922
17,398
Tokenization is one of the best ways to protect PCI data.

Prime example: PCI standards allows someone handling such data to only display the first six and last 4 digits of a PAN (your credit card) in their database. For a merchant to retrieve the full data for research (your full card number), the people holding the data would encrypt the middle digits of your PAN number, create a token, store it in a database with your encrypted card information.

The merchant then would be presented with a token. They submit the token, the entity holding the PCI data has their application check the token against what they have in their database. If they match, the people holding your data returns back the full card number to use. That way, at no point does either the holder or the merchant have all 16 digits of your credit card number.

I've maintained PCI databases, and it's one of the easiest, and secure ways to store your data. For Apple to be looking at this is a good thing, especially if rumors are true about using NFC in their next iPhone.

BL.
 
Last edited by a moderator:
S

saintforlife

macrumors 65816
Feb 25, 2011
1,045
329
Somewhere some celebs are wondering why Apple couldn't tokenize iCloud passwords and backups...
 
E

ElZeus

macrumors regular
May 26, 2008
239
128
All the major telecoms were waiting on Apple to enter the NFC game. I can't wait to get my mark...:(
 
PocketSand11

PocketSand11

macrumors 6502a
Jun 12, 2014
688
1
~/
Token systems are the way to go. I used the Facebook API for my iPhone app to get a user's friend list (well the limited one thanks to the stupid 2.0 API), and I realized just how easy and secure their token-based authentication made things.
 
M

Mrjynx

macrumors regular
Aug 31, 2006
134
176
Toronto
How is this different than using a PIN?

Doesn't seem any different than the SIM chips on our visa's and bankcards.. Only difference is instead of a 4 digit pin, we're using our fingerprint.
 
M

Moto G

macrumors 6502a
Jul 6, 2014
858
0
Mrjynx said:
Doesn't seem any different than the SIM chips on our visa's and bankcards.. Only difference is instead of a 4 digit pin, we're using our fingerprint.
Click to expand...

They're not SIMs, they're smart cards, essentially.

SIM = "Subscriber Identity Module" :)
 
Scotharrell7

Scotharrell7

macrumors newbie
Sep 7, 2014
7
1
NFC is the thing I'm most excited about on both the iPhone and iwatch. Thats going to intense!
 
M

Mrjynx

macrumors regular
Aug 31, 2006
134
176
Toronto
Moto G said:
They're not SIMs, they're smart cards, essentially.

SIM = "Subscriber Identity Module" :)
Click to expand...

stand corrected, smart cards :)

NFC based payments isn't actually new. Blackberry did that with a few banks in Canada. It's possible Visa told them how Apples device should communicate with their networks, not the other way around.
 
T

toneLA2

macrumors regular
Jan 28, 2014
104
41
Beverly Hills, CA
I just don't understand one thing regarding Apple's push for NFC's deployment as they partner with Disney, CVS and other brands.

Am I the only one wondering why? I visit my local 7-Eleven daily and they already have an NFC-enabled terminal. It shows the google wallet logo on it. By the looks of it, it might be a couple years old. Actually, lots of retailers around Los Angeles have NFC enabled terminals.

Will iPhone 6 require a last-gen terminal to work with NFC? Wouldn't it be absurd? I haven't seen anyone wondering about this very question on MR. As though NFC was a new technology unavailable anywhere, pushing Apple to sign agreements with retailers out there.

Any thoughts?
 
MentalFloss

MentalFloss

macrumors 65816
Mar 14, 2012
1,019
841
toneLA2 said:
Will iPhone 6 require a last-gen terminal to work with NFC? Wouldn't it be absurd? I haven't seen anyone wondering about this very question on MR. As though NFC was a new technology unavailable anywhere, pushing Apple to sign agreements with retailers out there.
Click to expand...

The major selling point should be the unprecedented level of security that a tokenization technology coupled with a readily available fingerprint sensor will give customers. Even if you lose your payment-enabled iPhone 6, nobody will be able to make any payments with it.

I doubt that new NFC terminals will be necessary, but existing terminals and/or payment systems in the stores will probably need a software update.
 
A

altaic

macrumors 6502a
Jan 26, 2004
636
426
So I don't have a set of numbers to give to every vendor who may note it down and defraud me, and necessitate me changing them? But how can I feel secure without my assigned numbers?

Appologies for the bitterness and sarcasm. I wish American Express had succeeded in their blue card crypto certificate thing years ago as an answer to consumer doubt towards internet vendors (turned out people didn't really care and so the status quo persisted). Yeah, static SSNs and CCs is absurd. I look forward to tokens, certificates, crypto tickets, or whatever they decide to call them.

It's a bit amazing that Apple using cryptographic tokens is news, to be honest. Any other way would be an enormous liability and avenue for criticism. Only old boy systems get away with that these days.
 
Last edited:
AxoNeuron

AxoNeuron

macrumors 65816
Apr 22, 2012
1,251
855
The Left Coast
If a hacker were able to hack into a company that used these keys to sell stuff, and stole like 20 from your past purchase history, couldn't they look for patterns in the token keys by comparing them and find out what the generation algorithm is anyways? I guess the only factor would be complexity of the algorithm. I imagine they would have some constant unique value passed as input in to this generation algorithm to generate the unique tokens, probably your account number or something. Who knows, maybe Apple could get real clever and generate a new unique value each time associated with your account, so that a hacker would also have to have access to that value somehow.

I'd bet that there's still a flaw in this system. If anything, the increase in complexity will attract hackers.
 
Last edited:
MentalFloss

MentalFloss

macrumors 65816
Mar 14, 2012
1,019
841
AxoNeuron said:
If a hacker were able to hack into a company that used these keys to sell stuff, and stole like 20 from your past purchase history, couldn't they look for patterns in the token keys by comparing them and find out what the generation algorithm is anyways? I guess the only factor would be complexity of the algorithm.
Click to expand...
No, the algorithm is not what primarily provides the protection. Even fairly simple algorithms can be extremely safe. The protection would come from the size of the tokens. They are likely going to be rather large, so you would need a huge number of tokens to guess the underlying keys.

By the way, even if you had the keys and the algorithm, it would still not allow you to make payments with the tokens that you can generate from them, because the store would verify each token with Visa/Mastercard/Amex to check if they actually issued that token to the customer.

Also, the tokens will most likely not be stored anywhere after the purchase is completed. So someone would actually have to follow you around for a few days, hoping to intercept your phones communication with the NFC terminal to gather tokens. However, it's one of the major advantages of NFC over e.g. Bluetooth that the communication is extremely short-range.
I'd bet that there's still a flaw in this system. If anything, the increase in complexity will attract hackers.
Click to expand...
There is a "flaw" in every security system. It's just a question of difficult you make it for attackers to break it. If someone has to put more money into breaking a code than they could ever gain from breaking it, then that code can be considered "safe".

In any case, hacking into the systems of Visa or Mastercard and stealing credit card numbers is significantly "easier" than hacking into their systems or following someone around to steal tokens and to guess your credit card number from that.

----------
saintforlife said:
Somewhere some celebs are wondering why Apple couldn't tokenize iCloud passwords and backups...
Click to expand...

In the case of passwords, it is up to the user to make sure that they are secure. It's difficult for the service provider to keep attackers from guessing overly simple passwords.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom