Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I don't care how secure a company says something is. Nothing that uses the internet is unhackable.

It is hackable. No one says its not. But what the hackers can obtain by hacking an Apple Pay transaction is useless to the hackers. Only a token is transmitted (which is not your actual credit card data). With the magnetic stripe swiping old method, your credit card data was there to see. And a memory scraper was used by hackers to obtain that information.

Now, even if a memory scraper or something similar was used to hack the merchant, all they would get are useless tokens. The tokens themselves have no intrinsic value. You can hand your token out like Halloween candy, or scatter it around the NY subway system or post it on Macrumors and NOTHING can be done with it.

Why not you ask? Well, it only works in conjunction with a one-time use only cryptogram (from your device) as well as your biometric authentication (fingerprint ID). And, don't forget, the mapping of a token back to your actual credit card information can only be done at the issuing bank and/or the processor used by the card brand.

So the merchant, the weak point in the transaction (as banks are much harder to break into -- hence Target and Home Depot breaches), no longer has anything useful to hackers from your card transaction (when you use Apple Pay). Now do you get it? Its not that Apple is secure or Walgreens is secure, its the tokenization method of payment, coupled with your biometric ID and other security features.

To sum up, hackers can hack your merchant or Apple Pay servers all they want. But they will not get anything valuable or useful from either. So hackers will focus on easier targets (like old style swipe transactions).
 
Last edited:
It is hackable. No one says its not. But what the hackers can obtain by hacking an Apple Pay transaction is useless to the hackers. Only a token is transmitted (which is not your actual credit card data). With the magnetic stripe swiping old method, your credit card data was there to see. And a memory scraper was used by hackers to obtain that information.

Now, even if a memory scraper or something similar was used to hack the merchant, all they would get are useless tokens. The tokens themselves have no intrinsic value. You can hand your token out like Halloween candy, or scatter it around the NY subway system or post it on Macrumors and NOTHING can be done with it.

Why not you ask? Well, it only works in conjunction with a one-time use only cryptogram (from your device) as well as your biometric authentication (fingerprint ID). And, don't forget, the mapping of a token back to your actual credit card information can only be done at the issuing bank and/or the processor used by the card brand.

So the merchant, the weak point in the transaction (as banks are much harder to break into -- hence Target and Home Depot breaches), no longer has anything useful to hackers from your card transaction (when you use Apple Pay). Now do you get it? Its not that Apple is secure or Walgreens is secure, its the tokenization method of payment, coupled with your biometric ID and other security features.

To sum up, hackers can hack your merchant or Apple Pay servers all they want. But they will not get anything valuable or useful from either. So hackers will focus on easier targets (like old style swipe transactions).

I have a question then. if I want to use my debit/credit card that is on file for Apple Id (which is an option on Apple Pay set up) and if Apple is hacked, would that make my tokenization vulnerable?
 
I have a question then. if I want to use my debit/credit card that is on file for Apple Id (which is an option on Apple Pay set up) and if Apple is hacked, would that make my tokenization vulnerable?

No - but they would get your physical credit card number from Apple. The "tokenization" is not done by Apple or on Apple servers at all. No one knows for sure how this is done but I think the closest we have is this person. Basically when you authenticate your card with your issuing bank provides your device with a shared encryption key (which explains why banks need to "sign on") that is used to generate the tokens to pay with.

When a payment is made the merchant sends a request to your device, your device responds and the merchant then forwards that encrypted response to be verified.

I'm assuming down the line Apple would hope to use Apple Pay for iTunes purchasing eliminating the need for Apple to store your credit card number.
 
Last edited:
No - but they would get your physical credit card number from Apple. The "tokenization" is not done by Apple or on Apple servers at all. No one knows for sure how this is done but I think the closest we have is this person. Basically when you authenticate your card with your issuing bank provides your device with a shared encryption key (which explains why banks need to "sign on") that is used to generate the tokens to pay with.

When a payment is made the merchant sends a request to your device, your device responds and the merchant then forwards that encrypted response to be verified.

I'm assuming down the line Apple would hope to use Apple Pay for iTunes purchasing eliminating the need for Apple to store your credit card number.

That would solve all the issues if Itunes would use Apple Pay. Great Idea! I hope they think of that as well. All security problems then solved;)
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.