Your cold hatred of Apple knows no bounds does it? Can you just get a real life for a change and ignore Apple and live a happier life?
To point out your complete ignorance, Apple provide and encrypted service with Apple Pay, but you clearly haven't watched the keynote or researched it at all. The encryption is the most secure payment service yet available.
With Apple Pay, no credit card data, even in encrypted form, is ever stored on the iPhone or on Apple's servers. Similarly, no credit card data is ever transmitted to or stored on a merchant's servers.
When a user first signs up for Apple Pay, either via an existing iTunes credit card or by loading a new one onto the iPhone, the card information is immediately encrypted and securely sent to the appropriate credit card network. Upon determining that the credit card account is valid, a token is sent back down to the device whereupon it's safely stored within the iPhone's secure element. A token is used in place of an actual credit card number and is what Apple, in its marketing materials, refers to as a unique Device Account Number.
The token itself, as implemented in Apple Pay, is a randomly generated and unique 16-digit number that ostensibly resembles a valid credit card number but is, in fact, fundamentally useless. Think of the token as nothing more than a placeholder or reference ticket for your actual credit card information. The only thing a token has in common with its corresponding credit card number are the last 4 digits on the card. Tokens by themselves are worthless and cannot be decrypted. You could hand the most talented hackers or cryptographers a list of millions of token numbers and it would be of no value to them.
As an additional layer of security, there are mechanisms in place to ensure that the token itself is bound to the phone on which it's stored and can never be used from another device.
Once a transaction is underway, the iPhone sends the token (which again, acts as a stand-in for the real credit card information) to the merchant which, in turn, sends it to the credit card network where it is mapped back to the corresponding credit card account that created it. The card network ultimately contacts the issuing bank for authorization. If the card is approved, the issuing bank sends a message all the way back down the line to the merchant indicating that all systems are go and the transaction can proceed.
This process is leaps and bounds safer than traditional credit card terminals because merchants transact exclusively in tokens and are never in possession of user credit card information.
With a service like Apple Pay in use, large credit card breaches at companies like Target and Home Depot become ancient history because there are no credit card numbers to steal in the first place. What's more, Apple Pay's use of tokens eliminates common threats such as man in the middle attacks and good ole' fashioned credit card skimming because, again, actual credit card information never touches the merchant.
The use of a token, though, is just one part of the puzzle that makes Apple Pay so secure.
Per the aforementioned EMV Payment Tokenisation Specification, completing a token-based transaction from a mobile device requires a form of personal authentication, which is where the simplicity of Touch ID rears its beautiful head. Instead of having to clumsily enter in a one-time password (static authentication data such as a PIN cannot be used), the payment process is finalized when a user authorizes it with Touch ID.
But there's a whole lot more to Apple Pay than Touch ID and the simple handing off of tokens. Providing an additional layer of security, an Apple Pay-equipped iPhone at the time of each transaction also sends a dynamically generated CVV up the chain along with a cryptogram. The CVV is the three-digit string located on the back of your credit card and, in the case of Apple Pay, is a algorithmically-generated dynamic string that's tied directly to the token.
The important thing to remember, though, is that the cryptogram is effectively a one-time use digital signature that verifies that the token in transit originated from the device being used. Additionally, the cryptogram includes pertinent transaction data such as the identity of the merchant and how much is being charged.
There are two important facts here to remember:
- Tokens cannot be used without an accompanying cryptogram
- The cryptogram ensures that a token can only be used from the device on which it was initially loaded
Next time instead of going on your typical anti Apple rant, get your facts right first. Apple have created something unique and have every right to ask for a small amount in recompense for their unique encryption services. Then again, you're the kind of person who hold faith in companies like google and samsung, but choose to degrade Apple. Your bias knows no bounds.
Forget Apple and have a good life my friend.
