Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Pay Expanding to China, Possibly France and Canada's Big Banks
- Thread starter MacRumors
- Start date
- Sort by reaction score
Like you have a clue about the circumstances of others.
[doublepost=1455655992][/doublepost]
I trust that most who hang around here aren't major Apple stockholders yet they brag about how much money Apple makes. What does that have to do with the price of grapefruit in Florida?
[doublepost=1455656103][/doublepost]
Another one who doesn't have a clue about people in need.
If you're in need, you shouldn't have a credit card in the first place.
If I were a bank or credit card network, and the person can't afford to pay off $500-$2,000 a month on their credit card bill, I'm not lending them a card to use.
[doublepost=1455656549][/doublepost]
I'm talking about other situations... Like where you buy something online and it comes damaged but the merchant won't refund you.
I didn't think you were a bank or credit card network. Or understanding.
Actually, most countries do store an offline PIN in the card.
Heck, the whole main point of EMV Chip & PIN cards was so that people could use a card in all the places where online authorization is/was not available. Which was most of the world for a long time. (Whereas the US was always online from the start, which is why chip cards were not seen by the banks as a necessity.)
The PIN storage is totally secure, because it's hidden and encrypted behind the equivalent of a secure element. It's never sent outside the card. Instead, in offline purchase mode, the merchant terminal gives the entered PIN to the card and the card authenticates it.
--
The merchant terminal is the weak link here. A few years back the Russian mob intercepted a large batch of EMV terminals leaving a factory, and inserted an extra WiFi capable module which stored and forwarded the PINs that people entered for their cards. Millions of Euros were stolen before the scheme was discovered. It then took a long time to find all the affected terminals, as each one had to be weighed to find out if it had the extra module or not.
Since the banks did not believe there was any way to steal a PIN (and normally they would be right), they refused for a long time to believe that Chip & PIN card holders had not voluntarily given their PIN to someone else, or had otherwise let people see it. It took years for victims to finally get their money back.
Last edited:
If you're in poverty a bank isn't going to lend a person an unsecured loan, a.k.a, a credit card.
Go out and take a look at what is going on right in your community, you'll be shocked.
Dude I make $35,000 a year and had a 670 credit score, yet by local credit union only wanted to extend me a credit card with a $500 limit. Granted it was a card with no fees other than a 10 day late $25 fee and a 8.75% APR card, with 1.5x points on every purchase, but still.
If you can't afford to pay off your credit card every month, and need the credit card to live, I assume that every month your debt on the card gets bigger and bigger.... then you have no business owning a Smart Phone, or any other Apple product. These are NOT necessities, but luxury items. You don't need a cell phone, or internet, or that 55" 4k TV.
The bottom line is if you are living off charge cards you are living like a rich guy since you are paying 20% or more for everything you buy than I am. It means you have money to burn, wise up, pay off your debt before buying any other luxury items.
Bottom line is there is much to learn about people and what they face in life. You make too many assumptions.
I remember seeing a video a while back when chip cards first came to Canada where the guy basically had a laptop in his bag with a cable and fake card running through his sleeve. The fake card was inserted into the terminal and you could enter any PIN you wanted and the chip simply said "Yup, that's right!".
Not sure if they've made improvements to it since.
everyone has alipay. everyone has wechat. even if everyone in the country had an iphone, it'll need something more than "availability" to make waves.
the only killer feature i can think of would be what some american banks are planning; allow access at an atm through quickpass/touch id. i think a lot of atms are already NFC ready, so it may technically be feasible. getting cash with touch id would be handy. i think some of the banks may have a feature where you can use their app to set up a one time code to withdraw cash if you didn't have your card, but this would be an order of magnitude more convenient.
[edit: as a statistic, wechat is a payment option in over 100,000 stores, 80,000 restaurants and 600 parking lots, according to my newspaper that just arrived.]
If the Canadian banks get on board (which, with this reference to Interac in the code is likely at least one bank is getting ready to launch) it would be for both Interac support as well as Visa/MasterCard.
The issue for Canadian banks is fees that Apple is demanding. The 0.15% reportedly being paid in the US for credit cards is too much given how little that Apple actually does. And the banks don't make money on Interac transactions.
So likely what they want, and might actually be able to achieve, is dramatically lower fees for credit (in the 0.01-0.03% range I would estimate) and no fees for Interac debit.
[doublepost=1455688529][/doublepost]
Yes - those exploits were only successful when the transaction did not go online for authorisation. Despite Canada using offline PIN for verification, almost all transactions are authorised online.
Yeah, they're constantly making improvements. It was pretty easy at first to fool merchant terminals. That's because EMV was at first not as much about security as convenience. E.g. being able to pay for a train ticket or parking space at a terminal with no constantly online connection.
One problem that often comes up, is when one of the payment pieces along the way simply fails to follow common sense and check all the card data. Like, there's been cases of payments claiming to be from a chip card, even though the issuer had never given one out! The old backend software went ahead and approved it.
One EMV hack that used to work years ago was the pre-play attack on contactless cards. You scan for local cards and present a "purchase" to them, and then store the card's computed response. Then you use the same data to do a real purchase of the same amount. This was fixed by making sure that merchant terminals don't repeat their nonce values, and by adding time stamps.
One of my favorites is a man-in-the-middle attack. Basically it's like the above pre-play, but in realtime. A thief taps a contactless card that is actually wired up his sleeve to instantly relay the terminal challenges to a base station which finds a nearby contactless card to do the actual "purchase"... and then copies the real card's response back to the evil card. It does require a large antenna to pull off, but it's been demonstrated by using a typical metal shopping cart for that purpose.
I think that kind of attack would even work on Apple Pay if the target phone was pre-triggered and ready to pay. (Imagine charging the iPhone user in line behind you for your purchase! heee!) One terminal guard against that is to time the responses down to the microsecond, and watch for suspicious delays.
it would have to be incredibly well timed. you can't put your fingerprint on the scanner, wait 20 seconds and then present it to the payment terminal.
Pre-play attacks like that are still theoretically possible for transactions run in MSD-Mode, including Apple Pay transactions (and in the US, most contactless transactions are still MSD-Mode).
In fact, my mom has got an iPhone 6 Plus, and she is currently living in China.
So I might be able to persuade her to use this feature.
The vibe I picked up from VISA covering this at the last Verifone Retail Payment conference was that the fraud that comes from cards being physically stolen/lost was so small, card issuers were likely to lose more money from lost revenue (if they required a PIN, making their card less desirable to use compared to signature cards) than from the actual fraud itself.
My wallet is 6 cards thinner now because of Apple Wallet Passes -- Wegmans, Walgreens, Target, Starbucks, American Airlines, and AAA. I also appreciate not having to futz around with paper tickets when I fly, go see a movie, or hit up a Ticketmaster concert/show.
I mean, nobody's going to complain if more companies started using Apple Wallet Passes, but I'm pretty sure I'm not the only person who's getting some benefit from the current list of companies.
To me, Apple Wallet Pass is almost like iTunes Smart Playlists, or iCloud Keychain. It's another tool available that a lot of people will never use, but truly enjoyed by the folks that do use it.
Would that lost revenue be more than the amount from people simply going back to using cash instead of dealing with EMV at all? (I've heard scattered reports of the latter happening but I'd like to think that's not all that frequent.)
No mention from them of people stopping to use cards entirely just because of EMV. lol
I wonder if it'll become more common as more stores start to accept it. Some places aren't much slower than swiping but still.
Ever heard about redundancy?
If one day your iPhone fails or gets stolen orvwhatever - you will be lost... Diversification of risk in place of concentrating the risk is a basic security principle... Same for master- passwords...
And to save about 18 grams by not even having cards on you is absolutely not worth it - just my 2 ct...
In your world (no eWallet), you have no diversification. Your physical cards are your only means of accessing your accounts, which makes them single-points-of-failure. If you lose your wallet (or an individual card), or something's stolen, "you will be lost". You have to report your cards stolen (or broken), which causes your issuers to cancel them, and you're dead in the water for the period of time that it takes all of your issuers to ship you replacement cards.
With an eWallet like Apple Pay, your digital cards are a second means of accessing your accounts. To me, that's diversification. So if your phone breaks or is lost/stolen, in the time it takes you to resolve that, you simply go back to using the physical cards that you had stored safely at home. Driving home and getting your physical card is inconvenient, but I wouldn't qualify that as "you will be lost" (as I would when a physical card breaks or is lost). Since the PAN of the digital cards are different from your physical cards, the digital cards can be cancelled without any effect to your physical cards. Once your phone situation is resolved, you can immediately reenroll your physical cards (and again store them away safely at home) and start using the digital ones. There is no wait for your card issuer to physically ship you anything, because they don't have to.
And FWIW, my OP to you was referring to Apple Wallet Passes, not Apple Pay. If my iPhone craps out and I'm unable to produce my Wegman's frequent shopper card, or AAA card if I need road side assistance, etc, etc, etc, there are easy ways to get around them without even having to drive home and get the redundant physical card. Having the Apple Wallet Pass just makes those processes faster.