A Comprehensive Outline of the Security Behind Apple Pay

[Tubamajuba]

Anything you need to tell yourself to feel safer about having Apple handle your financial information.

You obviously know nothing about Apple Pay.

But hey, anything you need to tell yourself to justify trolling this thread.

Not even close. Google Wallet is nothing like ApplePay. Google Wallet pre-dates the March 2014 EMVco tokenization standard ApplePay is based on. How could it implement something that did not exist?

Google Wallet doesn't issue transaction specific tokens. ApplePay does.
GW holds your credit card number. ApplePay does not.
GW processes transactions on a proxy CC. ApplePay does not.
GW you don't get merchant specific rewards. ApplePay you do.

You're on MacRumors, it's no use trying to explain this kind of stuff. Some people just can't handle the fact that Apple can do something right.

 

[SilianRail]

Doesn't do much good when the banks get hacked.

 

[iLLUMI]

Replacing cash - no - replacing carrying your credit cards - hopefully.

Well actually, we're already at that point where you don't need a card to withdraw money from an ATM and it is extremely popular.
In Australia this is now possible (since mid 2014), not sure about USA and rest of world. You just need to use the banks app to select how much money you want to withdraw, you then get issued a code which you then punch into the ATM and out comes the cash. No card, no skimming, no worries!
It's also a great benefit when you go out and suddenly realise you've left your card at home, or where your card broke or was swallowed up by an ATM etc.
So if anything we're certainly heading towards a "Cardless" society.
I think cash will outlast cards.

 

[Duane Martin]

Exactly! No portion of this is particularly "new", nor does it offer end users any real security benefits.

If you have a non-US issued contactless credit/debit card you have very similar technology in your wallet already.

That's right, because on my chip credit card I have a thumbprint reader which "at the time of each transaction also sends a dynamically generated CVV up the chain along with a cryptogram."

So when you write "very similar" what you basically mean is "not remotely in any practical way?" ApplePay will go way beyond my chip embedded credit card, which simply needs to be stolen to be used.

 

[amro]

This, along with a bigger screen and swipe keyboards is why I'm coming back to iPhone after using android for two years.

I used google pay and never felt secure as my PIN could potentially be stolen. Stealing a fingerprint is a "wee bit" harder.

And for those people with pin and chip cards, remember this. You still have to type a PIN. I lived in the UK for several years. PIN's are a lot easier to steal than a fingerprint.

 

[Fenez]

This, along with a bigger screen and swipe keyboards is why I'm coming back to iPhone after using android for two years.

I used google pay and never felt secure as my PIN could potentially be stolen. Stealing a fingerprint is a "wee bit" harder.

And for those people with pin and chip cards, remember this. You still have to type a PIN. I lived in the UK for several years. PIN's are a lot easier to steal than a fingerprint.

while that is true absolutely, what can you do with someones pin whithout actually having their phone also?

 

[spectrumfox]

You obviously know nothing about Apple Pay.

But hey, anything you need to tell yourself to justify trolling this thread.

I actually know quite a lot about Apple Pay, and NFC in general, since its not new technology.

Don't be so quick to trust Apple with your financial information. Especially when they JUST started using 2-factor authentication to secure iCloud user backups, and only because of all the celebrity nudes that got leaked. They had iCloud active for three years and didn't think to secure your data until now.

Three whole years.

And now you're going to trust them with your money, and you're calling me a troll because I don't.

A fool and his money are soon parted.

 

[usarioclave]

I actually know quite a lot about Apple Pay, and NFC in general, since its not new technology.

Don't be so quick to trust Apple with your financial information. Especially when they JUST started using 2-factor authentication to secure their iCloud user backups, and only because of all the celebrity nudes that got leaked. They had iCloud active for three years and didn't think to secure your data until now.

And now you're going to trust them with your money, and you're calling me a troll because I don't.

This is how it starts.

Yuk yuk yuk. Who do you trust? Google, who's Android operating system didn't even bother to lock down their data until the next release? Who forgot to partition access to the SD card until the latest release? Who has so many holes in their OS that they've become a botnet vector?

Nobody knows if nudes came from iCloud, really. But everyone knows where malware goes, if it can.

 

[UnfetteredMind]

Apple didn't "sign up" anyone. All they did was ask if they wanted to be a part of the promotion. There is NOTHING that retailers have to do for Apple Pay other than have a NFC POS. This was all marketing at it's best.

All those places you mentioned above have taken NFC payments for a while now. I know as I've used it. Panera being my go to place. They are stunned when they see me do it.

So all you are waiting for is Apple to apply the update to your iPhone.

I believe those merchants who committed to Pay and were mentioned in the keynote have committed to having capable POS terminals in ALL their locations (not sure by what date however, but the commitment is there to upgrade them all).

 

[amro]

while that is true absolutely, what can you do with someones pin whithout actually having their phone also?

True, but phones are easy to steal in large crowd scenarios. Same for pin/chip cards. With the iPhone, you need the fingerprint to unlock it first. And if for some reason it's already unlocked, you still need your fingerprint to use Apple pay.

 

[Fenez]

Yuk yuk yuk. Who do you trust? Google, who's Android operating system didn't even bother to lock down their data until the next release? Who forgot to partition access to the SD card until the latest release? Who has so many holes in their OS that they've become a botnet vector?

Nobody knows if nudes came from iCloud, really. But everyone knows where malware goes, if it can.

android hyperbole aside... kirsten Dunst i believe knew where her pictures were and even thanked icloud for it.

 

[spectrumfox]

Yuk yuk yuk. Who do you trust? Google, who's Android operating system didn't even bother to lock down their data until the next release? Who forgot to partition access to the SD card until the latest release? Who has so many holes in their OS that they've become a botnet vector?

Who mentioned Google?

Nobody knows if nudes came from iCloud, really. But everyone knows where malware goes, if it can.

Uhh, everyone knows the nudes came from iCloud. Those who stole the nudes even said so, and documented how they got around Apple's incredibly lax security in order to steal them. They all pointed to the simple fact that Apple barely had ANY security on iCloud at all, so they could easily enter any account they wanted, take as much as they wanted, and no one would be the wiser.

Have you not been paying attention at all to what's been going on all year?

The only reason why Apple is "locking down" iOS 8 and adding 2-factor auth and encryption to iCloud is because of all of this. They certainly didn't do it out of the goodness of their hearts.

They did it to save their asses and to keep people buying iPhone's.

 

[bbeagle]

That's complete crap. Every bank card issued has a pin number.

It's probably a US thing then. NONE of my credit cards have pin numbers, and nobody I've ever known has had a pin number for a credit card.

You simply swipe the card at a teller and go. No signature either if it's less than $50 at most merchants.

And at a gas station for a $50 fill up, just swipe and go at the pump - no teller to even confirm that a male is using a card with the name Mary. It's very lax here in the US - which is part of the problem.

 

[animcam]

Trying to decide if you are serious or not.... I think it is a little easier for someone to get my credit card number than to hack my Touch ID or steal my phone and finger.

Besides which, Apple will just bring out a new app, Find My Finger.

 

[ptb42]

They are all tokenized ....windows, android, its not new. What's new is the touch I'd. Japan has been tokenization since 2007.

What tokenization standard has Japan and the rest been using? The first version of the EMV tokenization standard was only published in March, 2014:

http://www.nfcworld.com/2014/03/11/328236/emvco-publishes-tokenization-framework-specification/

An EMV card encrypts account data on the chip, but it is not tokenized.

 

[tlevier]

So here are my questions:

How difficult is it to load a credit card into your phone's profile? I guess I want to know what / how it is verified that I am the owner of the CC. Do I have to go in to my bank account to authorize the card onto a specific iPhone or iTunes acct? The fear that I'm trying to alleviate is someone loading my card onto their phone. (I'm not actually that concerned with this as I suspect when I see the final process, I'll be satisfied with the difficulty and safeguards.)

Places like Target have gotten pretty cozy with our CC numbers over the years. If you buy 10 things in a transaction and you take something back, they scan the receipt and send the money back to the card the item was charged from. With 1-time tokens, what things will change with retailers in regards to returns? Will they pay out cash for returns? Will they be able to charge-back the card? Would they be able to identify which card you used and require the charge-back to that same card using a new Apple Pay transaction?

 

[jm001]

A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?

First of all the perps have to know which finger you use for the Touch ID. Secondly they have to get a full print from that finger. Then they have to make a synthetic copy of the print because a photograph of the print won't work. The print has to be 3D. The average Joe isn't going to get hacked with all the steps needed for your prints. And if you're getting your finger hacked off 1) what kind of company are your keeping? 2) what line of work has you targeted 3) how rich are you?

 

[ptb42]

It's probably a US thing then. NONE of my credit cards have pin numbers, and nobody I've ever known has had a pin number for a credit card.

You simply swipe the card at a teller and go. No signature if it's less than $50 at most merchants.

US credit cards usually have a PIN, but it is for cash advances at an ATM. It is not used for retail purchases.

 

[Tubamajuba]

I actually know quite a lot about Apple Pay, and NFC in general, since its not new technology.

Don't be so quick to trust Apple with your financial information. Especially when they JUST started using 2-factor authentication to secure iCloud user backups, and only because of all the celebrity nudes that got leaked. They had iCloud active for three years and didn't think to secure your data until now.

Three whole years.

And now you're going to trust them with your money, and you're calling me a troll because I don't.

A fool and his money are soon parted.

No, I'm calling you a troll because of this statement:

Oh my. A lot of Kool-Aid being served in the forums here today.

If that's how you enter the thread, why should anybody seriously respond to what you have to say?

Just look a few pages back in the thread, where the user Menel explained what sets Apple Pay apart from other mobile payment solutions. It's nothing that other companies can't use, but Apple is leading the charge right now.

Besides which, Apple will just bring out a new app, Find My Finger.

Okay, this is gold.

 

[bbeagle]

Folks, if you are being held at gun or knife point so that a thief can get your pin or password, you've got bigger issues than the thief going on a shopping spree.

Plus, who cares - in the US, you're protected once you call in and report your card stolen you're not responsible for the charges, even charges that happened before you made the call (as long as it's a reasonable amount of time you called in, like a few hours later)

 

[Duane Martin]

And for those people with pin and chip cards, remember this. You still have to type a PIN. I lived in the UK for several years. PIN's are a lot easier to steal than a fingerprint.

No you don't. Tap to Pay is common in Canada; just tap your card and pay. There are limits but I have seen up to $200 accepted so a lot of damage could be done with no PIN required.

 

[Euge]

I actually know quite a lot about Apple Pay, and NFC in general, since its not new technology.

Don't be so quick to trust Apple with your financial information. Especially when they JUST started using 2-factor authentication to secure iCloud user backups, and only because of all the celebrity nudes that got leaked. They had iCloud active for three years and didn't think to secure your data until now.

Three whole years.

And now you're going to trust them with your money, and you're calling me a troll because I don't.

A fool and his money are soon parted.

You keep saying there needs to be trust in Apple with financial information. But if you knew the details of Apple Pay you would know Apple doesn't store account information, nor transaction information. So there is no financial data to store to trust them with.

So even if they did get hacked again, what financial information is there to steal?

 

[MarcelV]

*delete*

 

[bbeagle]

Besides which, Apple will just bring out a new app, Find My Finger.

LOL.

If anyone has actually used Touch ID and not just trolling it. It matters WHICH finger you use, and WHERE on the finger you touch the Touch ID button.

Just having a finger is not enough. You need to know how the user presses the finger. PLUS - when I do something like go swimming, Touch ID won't recognize my finger for the next 30 minutes as my fingerprint isn't the same. I would guess that a severed finger would be similarly not recognized.

 

[animcam]

Fees?

Who pays here? The stores get charged by the credit or bank debit card I am sure. Does the iPhone holder also take a small hit?

Stores in my neighborhood will not take cards now for small amounts so replacing all cash won't be happening in my area.

Of note though, my bank just emailed they are sending a new card out after Visa warned them my current card might have been comprised, I'm guessing from a Home Depot charge I made a few weeks back. I don't think this will happen after I upgrade to the 6.