A Comprehensive Outline of the Security Behind Apple Pay

[iososx]

The campaign begins in earnest, no longer just talk this is one of their hardest sells, post S. Jobs. The obvious advantage they start with are the millions of customers credit card information they have in iTunes. That's quite the advantage.

Yet despite the sales pitch, it's not much of a convenience or time saver. Oh sure the iPhone lovers, geeks, will be impressed by it, Jack and Jane consumer not so much. The public can be fickle, this project will be fun to watch.

 

[taoprophet420]

So here are my questions:

How difficult is it to load a credit card into your phone's profile? I guess I want to know what / how it is verified that I am the owner of the CC. Do I have to go in to my bank account to authorize the card onto a specific iPhone or iTunes acct? The fear that I'm trying to alleviate is someone loading my card onto their phone. (I'm not actually that concerned with this as I suspect when I see the final process, I'll be satisfied with the difficulty and safeguards.)

Places like Target have gotten pretty cozy with our CC numbers over the years. If you buy 10 things in a transaction and you take something back, they scan the receipt and send the money back to the card the item was charged from. With 1-time tokens, what things will change with retailers in regards to returns? Will they pay out cash for returns? Will they be able to charge-back the card? Would they be able to identify which card you used and require the charge-back to that same card using a new Apple Pay transaction?

I read all 12 pages and were surprised you were the on,y one who mentioned this. You canuse your camera to load a card like you do for Safari in iOS 8 or u can manual,y enter card data.

There is no verifying your address or anything else in the Safari implementation and doubt if Apple Pay will be different. So leaving your card at a restraint or misplacing your wallet will make it easy for Someone to load your card on their iPhone.

Hopefully the tokens will allow Visa or Apple to track down the device that captured a pho5o of your card. This is a big over sight by Apple.

 

[usarioclave]

You know that iCloud recently got hacked and nude celebrity photo's were leaked, right??

Actually, what's amazing is that this doesn't happen more often. ITunes and PayPal have huge repositories of payment information. PayPal has your Aba, account number, name address, phone. Apple has your credit cards and addresses. Neither have been compromised, ever. They have been under assault for over a decade.

Even the big payment processors get compromised occasionally. PayPal and Apple, never.

iCloud is a different department.

 

[HiDEF]

Actually, what's amazing is that this doesn't happen more often. ITunes and PayPal have huge repositories of payment information. PayPal has your Aba, account number, name address, phone. Apple has your credit cards and addresses. Neither have been compromised, ever. They have been under assault for over a decade.



Even the big payment processors get compromised occasionally. PayPal and Apple, never.

Thanks for the insight.

 

[animcam]

So tell me how Apple Pay benefits me...?

From my understanding, Home Depot and Target won't have any info about your card, all they have is your money from the bank. So in 3 months when you hear their system has had another leak you wouldn't have to get a new card like I am doing today after Visa informed my bank my card may have been compromised.

 

[Redenkeew]

Difference is that credit cards and debit cards offered convenience so there was a reason for consumers to use them. Apple Pay doesn't add convenience—in fact, it just increases the risk that you'll drop your $650+ phone.

As for security...if your credit card has unauthorized transactions then you're not liable for them anyway. People are just transferring any trust they have to Apple, which doesn't exactly have a flawless track record as we all know.

I disagree. I personally think Apple Pay offers convenience. I have a ton of cards and I use each and every of them depending on the type of purchase I make. So naturally I'm required to carry my big wallet with all of my cards at all time. I've always afraid of losing the wallet, meaning that I lose all the cards, and the trouble of requesting replacement cards and that does take time. Some of them are issued outside of the US so it's near impossible for me to get a replacement. Now I don't have to carry my wallet when I'm out shopping, and if I lose my phone, I just have to suspend the Apple Pay on my phone, I don't have to cancel any of my credit cards. That's super convenience for me.

I love how Starbucks let me pay with my phone because it's super fast and I don't have to carry the card around. Now Apple is offering the same thing and I can't be more excited for this to go live.

 

[vanitytriplex]

The beginning of a "Cashless Society" is approaching.

End times lol

 

[MyopicPaideia]

The little we know about how tokens are generated are that you would need AT LEAST three things:

1. The original account number
2. The device-specific identifying information to help generate the token
3. The token algorithm

If you got the algorithm, it wouldn't do much good without the other two things.

Not to mention that both 2 & 3 would require one to not only be able take physical possession of the phone (and have full access to it, and long enough without it being remotely wiped by the rightful owner) but also to somehow hack into the secure element. In addition they would also have to have a perfect copy of your fingerprint and be able to emulate a TouchID authorisation to actually be able to do a transaction. A ridiculous prospect, truly.

Spectrumfox is being disingenuously skeptic, grasping for anything possible, and I don't know why...just for the sake of winding people up?

This payment authorisation system is grades of magnitude more secure than anything being used in the world today now, and to try and say otherwise is not being honest.

It is hard to imagine how Spectrumfox and those,like him, dare use a debit or credit card today, as no existing authorisation method even comes close to the security afforded by Pay.

Just watch GW and the rest of the contactless payment systems follow suit as fast as they can. Apple is spearheading the new standard of CC security that the CC companies have been pushing for years, and are going to force on merchants within the next couple of years globally anyway. A perfect time for Apple to get in the game. As has already been observed by everyone - journalists, and industry insiders alike.

 

[bushman4]

iPhone 6 will be an Extremely secure credit venue. Unique, more secure than anything currently available.

 

[G4DP]

It's probably a US thing then. NONE of my credit cards have pin numbers, and nobody I've ever known has had a pin number for a credit card.

You simply swipe the card at a teller and go. No signature either if it's less than $50 at most merchants.

And at a gas station for a $50 fill up, just swipe and go at the pump - no teller to even confirm that a male is using a card with the name Mary. It's very lax here in the US - which is part of the problem.

No wonder fraud is so high.

May have been different before Chip&Pin, I can't remember. But to not even check for a signature is insane. Then in the UK credit card companies have always offered the ability to draw money out from the ATM with them aswell.

 

[peterh988]

And at a gas station for a $50 fill up, just swipe and go at the pump - no teller to even confirm that a male is using a card with the name Mary. It's very lax here in the US - which is part of the problem.

I had my credit card stolen*, in an effort to find out how and why, I trawled the web and ended up in some pretty horrible, criminal places, the one thing that stood out though, was the advice on where best to put a stolen card to good use, and that was always "Go to America"

*Someone managed to get through security, request a change of address and had a new card and PIN sent to them.

 

[ct2k7]

I disagree with TUAW, looks more like EMV contact less rather than payment tokenisation

 

[Menel]

Apple isn't late to the party: they waited until the party was really ready to start.

LOL
Spot on

 

[LJSurfa]

3 letters why you have to: NFC.

I use a Vodafone smartpass chip on the inside case of my iPhone4. Don't bother carrying round cards anymore.

 

[Shin3r]

I read all 12 pages and were surprised you were the on,y one who mentioned this. You canuse your camera to load a card like you do for Safari in iOS 8 or u can manual,y enter card data.

There is no verifying your address or anything else in the Safari implementation and doubt if Apple Pay will be different. So leaving your card at a restraint or misplacing your wallet will make it easy for Someone to load your card on their iPhone.

Hopefully the tokens will allow Visa or Apple to track down the device that captured a pho5o of your card. This is a big over sight by Apple.

From what I've read on Apple's website, I gather that in order to activate passbook for the cards you have to use your current card associated with your Appleid. I'm assuming this is the "verification" part that says you are who you say you are. Any further card info should match and is then verified by the bank servers. Of course, this wasn't in any fine print I could find but it leads me to this conclusion thus far.

 

[linuxcooldude]

The credit card companies created the token payment methods that Apple is one of the very first to use. The timing was nearly perfect for Apple.

I thought you said before tokens were not new and Apple was using the same token system as everyone else?

 

[doelcm82]

Chip and PIN is very secure if you are careful. You cover the PIN pad with your other hand when you put the PIN in. No one has to see.

It's a lot safer, because you don't enter your PIN in public. You put on your watch, enter the PIN (likely in your bathroom) and it works as long as you don't take off the watch. Nobody sees you entering the PIN.

The advantage with using Touch ID is that you don't have to cover the PIN pad with your other hand, or excuse yourself and go to the bathroom to enter your secret code.

Many things are safer if you always follow best practices. Expecting everyone to always follow best practices, is not the best model for security.

 

[kdarling]

I thought you said before tokens were not new and Apple was using the same token system as everyone else?

I said that Apple is using the same token systems that others can use. In other words, they are not Apple specific. They are scheme (Mastercard, Visa, Amex) specific.

PAN tokens themselves are not new.

The specification by EMVCo to use them is fairly new, and was retro-actively designed with some loose areas so that it could encompass all the various token payment sub-methods that each of the major CC companies have come up with over the past year.

Anyone can team up with the various issuers to use those methods. Apple Pay is the first major wallet to do so, and it works out great for both sides.

 

[Razeus]

Read. The. Link.

Do. Not. Care.

 

[kdarling]

How difficult is it to load a credit card into your phone's profile? I guess I want to know what / how it is verified that I am the owner of the CC. Do I have to go in to my bank account to authorize the card onto a specific iPhone or iTunes acct? The fear that I'm trying to alleviate is someone loading my card onto their phone. (I'm not actually that concerned with this as I suspect when I see the final process, I'll be satisfied with the difficulty and safeguards.)

Here are some (somewhat vague) answers from a Visa SVP:





To me, it would make the most sense if Apple was actually involved in the device token request process, as they could send our iTunes name and CC and other info to help confirm who we are.

That way, someone could not just scan a card for John Doe if their iTunes registered name was Tom Smith.

With 1-time tokens, what things will change with retailers in regards to returns? Will they pay out cash for returns? Will they be able to charge-back the card? Would they be able to identify which card you used and require the charge-back to that same card using a new Apple Pay transaction?

Even with tokens, merchants are given the real last four digits of your card (which you'll see printed on your receipt so you know as well). They can use that to match up the purchase number and card used, if necessary.

 

[Trapezoid]

The timing was nearly perfect for Apple.

Funny how it almost always works out that way

 

[bbeagle]

I read all 12 pages and were surprised you were the on,y one who mentioned this. You canuse your camera to load a card like you do for Safari in iOS 8 or u can manual,y enter card data.

There is no verifying your address or anything else in the Safari implementation and doubt if Apple Pay will be different. So leaving your card at a restraint or misplacing your wallet will make it easy for Someone to load your card on their iPhone.

Hopefully the tokens will allow Visa or Apple to track down the device that captured a pho5o of your card. This is a big over sight by Apple.

How so? The credit card number is not being used in Apple Pay. A credit card token can be invalidated by the bank once they find the card is being used fradulently.

There is no oversight. What would happen if your card is stolen? The bank would issue a new credit card number, invalidate the TOKEN of the fradulent user, but still allow YOUR token to work. Thus YOU would not be without your credit card for a few days until you get a new one, unlike the situation today without Apple Pay.

----------

Difference is that credit cards and debit cards offered convenience so there was a reason for consumers to use them. Apple Pay doesn't add convenience—in fact, it just increases the risk that you'll drop your $650+ phone.

As for security...if your credit card has unauthorized transactions then you're not liable for them anyway. People are just transferring any trust they have to Apple, which doesn't exactly have a flawless track record as we all know.

None of what you write is true.

Apple Pay IS more convenient. Tap your phone against a scanner and touch the Touch ID button. Much easier than getting out your wallet (or in a lady's case fumbling through a purse), finding the credit card, swiping, and putting it all back. No entering of pin codes either.

And for security, you're NOT transferring any security trust to Apple. Apple is out of the loop during the transaction if you understand what is going on.

Apple simply sends a TOKEN instead of the actual credit card information to the merchant. This is much more secure - nobody can intercept your credit card number. Secondly, even if they intercept the TOKEN, it can only be used once. Apple sends another one-time-only security code with the transaction. This security code changes with each transaction. So, if you've got the TOKEN and the security code has been used already (in the initial transaction), as a crook, you've got NOTHING of value to use.

 

[tlevier]

No wonder fraud is so high.

May have been different before Chip&Pin, I can't remember. But to not even check for a signature is insane. Then in the UK credit card companies have always offered the ability to draw money out from the ATM with them aswell.

This just reminded me of my 2011 trip to the UK. I purposely do not sign my credit cards. My logic is 1) if you write "see id" that can invalidate your card (and is against the cardholder agreement) and 2) even if I did sign it, what are the chances the cashier anywhere will ever object. Are they trained to look for forged signatures? (let's have a discussion about that!)

So, leaving it unsigned means that concerned cashiers will ask for ID, unconcerned cashiers wouldn't have checked the signature line anyway. Now, the CC does say "not valid unless signed". If I do get a prickly person, I just sign the dang thing. It took 3 years and a trip to the UK to find that prickly person.

I offered ID and I had to demand a pen to sign the card in order to use the card. This girl thought she was saving the world by not letting me transact 12 pounds for the rail.

"It's not signed."
"Okay, here's my ID so you can know this is my card."
"That doesn't matter. It's not signed so it's not valid."
"Can I borrow a pen."
"No, why? You can't sign it."
"It's my card, of course I can sign it."
[Signs card, hands it back to her for the transaction.]
"You just signed this."
"Yep. Now it's valid. If you think there's a problem with the signature, here's my ID to prove it's my card."
[Visual of hamsters turning wheels in her brain on possible ways this can play out going forward. Swipes card.]

 

[Diode]

Nope. It requires Touch ID. Hence, iPhone 5s or 6.

Eh - I was slightly wrong. It's compatible with iPhone 5/5C/5s - so at least two older phones without touch id.

 

[BDIs]

Samsung has had a secure element since the S3, touchless payments since Google Wallet and SoftCard, and fingerprint Since the S4. They just failed at effectively communicating these features to the end user/market