Apple Watch Will Use Skin Contact for Apple Pay Security

[sflagel]

Terrible idea

This is a terrible idea.... They go through so much trouble to make payments by iPhone totally secure (fingerprint, single token), but it is possible to pay with the iWatch using only a PIN? Fair enough, that is how Chip & PIN works today, but given the fingerprint on the iPhone, I was hoping for something more secure.

 

[BaldiMac]

This is a terrible idea.... They go through so much trouble to make payments by iPhone totally secure (fingerprint, single token), but it is possible to pay with the iWatch using only a PIN? Fair enough, that is how Chip & PIN works today, but given the fingerprint on the iPhone, I was hoping for something more secure.

I wonder if the PIN may be part of a pairing process with an authorized iPhone. That would make more sense to me.

 

[kdarling]

So if Apple's servers were hacked they cannot retrieve Apple Pay card information. Yes they use the card on file with the iTunes accounts. Those numbers are still vulnerable (at the moment) to hacks. All of your other cards are not accessible to a hacker.

If Google's servers were hacked, there would be millions of users with exposed credit cards.

Sure, and the credit card companies' servers could be hacked, and so forth.

Since you're not liable in those events, who cares.

I do think the CC companies, Google and Apple are better custodians than Home Depot

 

[Alenore]

Unless you are right next to an NFC reader, how would they know if you lied about your pin?

Because the pin is used to unlock Apple Pay when it's put on the wrist, not on every transaction.
"Take it off. Put it back. Enter your pin. Okay, good, gimme the watch."

 

[rish]

So...

I have bony wrists. With most watches I wear the back is rarely plastered up against the back of my wrist. How tight are people going to have to wear this thing? I think there's going to be a lot of re-entering your pin.

...tight that it stops the blood supply to your hand by which time the watch will think your dead and lock all functions anyway.

 

[ENduro]

Are you telling me you think the electrical activity for a heart beat, which is continuously variable in rate and magnitude depending on the situation, is a valid and precise physiological measurement capable of being measured by a watch?

That's why it would be genius. "Magical" was not a word used in the keynote.

Honestly, I think this is rushed. All the big "leaks" and supposed meetings with the FDA and AMA. The interface looks like they were going for a round shaped watch (everything is seemingly a circle from apps, to their arrangement to the health tracking at a glance. The health monitoring is cool but none of it seems like a killer app that physicians would be recommending over some of the other solutions out there which is what I think a lot of us expected, something completely new to market.

 

[Tech198]

Ingenious...

Not too bad at apple..

Although Touch ID would have been better built into the watch itself that.

What if your skin is oily ?

I agree though. Apple uses Touch ID for the latest iPhones and/or iPad's of recent, so they go to that measure because they care about security, then they bring out a 18-karrot gold watch that looks like its only meant for the 'price in shining armor', but then you have a PIN ? Better than nothing, but this kinda reminds me of iMessages being the 'weakest link' The odd one out..

I dunno, it just looks like to cheesy how Apple did, and they pair this up to your skin (so obviously they go to ONE secure way at least), "assuming it works well"

 

[JeffyTheQuik]

I doubt anyone will go to the store with a dead body or a severed forearm.

What about on Halloween?

 

[kas23]

You just know there going to be a rash of posts (no pun intended) on here saying "you're wearing it wrong" when people complain about having to continuously re-enter their pin.

----------

Are you telling me you think the electrical activity for a heart beat, which is continuously variable in rate and magnitude depending on the situation, is a valid and precise physiological measurement capable of being measured by a watch?

Maybe I'm just out-of-touch with what people want, but I'm just not sold that the general public want, or even need, to continuously know their heart rate. Am I not health conscience enough? This may turn out being one of the $200 pair of running shoes people MUST have in order to exercise, then just wearing them casual walking. But hey, people who don't even play basketball buy $300 basketball shoes.

 

[Mattsasa]

It would be even better if the 5s could bypass the PIN using Touch ID. That way the only ones who have to enter a PIN are users of the 5 and 5c

I think you are misunderstanding the point... you only need to enter the pin when you put the watch on. not when you are making a purchase.
no one has to enter a pin when making a payment with apple pay

This would be awesome! But there are two points that aren’t so good:

1) If it’s waterproof, but not water-resistant. That means every time you are swimming, taking a shower or other activities, you have to take it off.
2) if the battery life is just for one day, you have to take it off everyday.

These 2 points are going to make you put the pin code almost every time you are buying something.

i think you have the terms water proof and water resistant flipflopped

 

[Tech198]

The good thing have to say here is the "one time" pay.

Sadly, Pay-pal used to have something like this in Australia, but they got rid of it.

And i'm not about to fork over my details to some unknown site that's not secure.

So, bring it Apple I'll think about it, if it ever comes here.

 

[eric_n_dfw]

I'm happy to see that 5s users are able to use ApplePay via the watch, but I'm surprised since the "Secure Element" doesn't exist on the Phone. I wonder if that means only the car you have on file with iTunes will be elligible? The demo showed adding other cards to your PassBook via the camera, so I wonder if that will be an iPhone 6 only feature or if iOS will push the info to a secure element on the watch?

 

[twigman08]

Ok, so you're saying all I need to do is just enter a pin one time when I get up in the morning to get secure payments without using my card? Perfect!

So people are griping that they have to enter a pin when they get up in the morning for this? Talk about first world problems.

----------

I'm happy to see that 5s users are able to use ApplePay via the watch, but I'm surprised since the "Secure Element" doesn't exist on the Phone. I wonder if that means only the car you have on file with iTunes will be elligible? The demo showed adding other cards to your PassBook via the camera, so I wonder if that will be an iPhone 6 only feature or if iOS will push the info to a secure element on the watch?

Just one of those "weird guesses," but maybe by "Secure Element" they were talking about the "Secure Element" that no one has access too that Touch ID uses in the 5S?

 

[eric_n_dfw]

Just one of those "weird guesses," but maybe by "Secure Element" they were talking about the "Secure Element" that no one has access too that Touch ID uses in the 5S?

That's possible - but they seemed to make a point of the difference between the "Secure Enclave" and "Secure Element". Will be interesting to see how it pans out.

 

[shamino]

Unless they take your wrist with the watch...

Because we all know that TouchID created a huge wave of criminals cutting off fingers...

I wonder if it asks for confirmation or am i going to be paying for everyones stuff when i walk past a register?

Passing the watch near the sensor is part of the process, not the full process. You still need to confirm the payment.

And if the range is like the range of an iPhone 6, then the watch will have to get within about 2-3 inches from the receiver. That's a lot closer than just walking past a register.

I think so. The Apple Watch is said to also have the "Secure Element" if it doesnt then it won't work on an iPhone 5s since this doesn't have the Secure Element either.

The 5s has a secure element (Apple's literature calls it a "secure enclave"). Right now, it's just used to store fingerprint data. I assume ApplePay will also store your card data in there.

The big deal about the 5s is the lack of an NFC transceiver.

My credit card uses something similar to NFC and it doesn't have a battery, so I can't imagine it's that much of a drain.

Contactless cards have a large antenna embedded in the plastic. The chips are designed to run with very low power, so they can be powered from the current induced when the coil moves through a field generated by the reader. This is also how RFID cards work.

Your card works with RFID I think. It's not the same thing

Maybe, but not likely. RFID is a very simple protocol that just returns an ID number. NFC cards have an actual processor (similar to, if not the same as the encryption chip on EMV cards.)

The logical thing would be to have a kill switch that you can activate in the phone (assuming they dont steal that too) or in icloud

It's already there. Based on what I've read so far, ApplePay on a watch requires the watch to be within BlueTooth range of the phone it is paired with. Steal the watch without the phone, and there's no payments. If both get stolen, you can log on to icloud.com and disable or wipe the phone via the "find my phone" facility.

It would be great if Apple will will provide remote disable/wipe capability for the watch as well and maybe a feature that can disable/wipe it if it loses contact with your phone for more than some configurable amount of time. If the feature isn't there when I get my watch (whenever that is), I'm going to send Apple feedback to request it.

Doesn't touch ID mitigate the need for a PIN?

Not entirely. You still need the PIN/passphrase for the first access after the phone reboots.

Except this pin works with all your cards, doesn't have to be entered in the store and the system doesn't require any kind of identification.

Except that it has to be paired with your phone, which you can remote-wipe.

watch= house arrest ankle monitor....
truly dystopian...

If you're seriously concerned about this, then I assume you don't have a cell phone, because law enforcement can already track that today.

Hmm...this means the only security measure for payments with the watch is a PIN number.

Anyone could put on your watch and create skin contact...getting the PIN would be as easy as looking over your shoulder while you entered it, or looking at security camera footage from above you.

They'd also need your phone, which you can remote-wipe. The PIN is to pair the watch with your phone, not to unlock Apple Pay.

Except people don't leave their CC's laying on a table, bedroom or car. ...
So wait... you must now touch the watch, enter a pin to unlock the watch & access the passbook app then pay?
Yup, that's more convenient than reaching for my wallet.

People don't leave their cards lying around their home/car? Of course they do.

As for your "procedure", the PIN is something you enter when you put the watch on, to re-authorize the pairing with your phone. You wouldn't do it for every single transaction, unless you are in the habit of taking your watch off when you're not making payments.

As for the passbook app, if it's anything like the iPhone 6, the app launches itself when the device gets within range of an NFC reader. You should just be able to move your wrist near the sensor, select your card (if you don't want to use the default-configured one) and then press a button to confirm the purchase.

 

[myemosoul]

Passcode issues.

I haven't even been able to set up my Apple pay on my watch yet because it requires activating the pass code and when I activate the pass code the watch asks me to put the code in pretty much every time I lift my wrist which is HIGHLY annoying, according to the user manual it's only supposed to ask for the pass code when I take the watch off then put it back on or if I wear the watch very loosely. However, I feel that I'm wearing the watch quite tight and shouldn't be experiencing this issue.
Hopefully this is just an early software glitch that will be resolved in a future update because at this point I just leave the pass code off and can't use Apple pay.
Is anyone else experiencing this issue?

 

[myemosoul]

Mystery solved.

Welp, I figured out why I was having issues.
Turns out my tattoos on my wrist were affecting the sensors on the watch, luckily if I slide my watch a little further down there's no ink.