Apple Pay Holdout Target Launches New In-App Mobile Payments System

[neutralguy]

We live in a time when everyone should expect to get hacked at some point, I get that. Knowing that however companies should be taking steps to mitigate damages when they are hacked. There should be monitoring and segmenting to identify attacks and prevent them from quickly spreading. Target taking over two weeks to know they had been penetrated and having the infection spread throughout their entire US network is unacceptable. I'd expect they've learned from that very expensive lesson but I'm still inclined to use systems with one time tokens and data stored uniquely on my own device. That's the epitome of segmentation and means I don't have to care whether any retailer has been hacked provided - unlike Target and Walmart - I was able to use a truly secure payment mechanism.

I think you are getting confused between card information vs transaction information. I bet Target's card swipe terminal is secure enough as Target doesn't own it. It's owned by NCR or some other company who must be implementing encryption. Apple Pay is just another variant of that.

Target hack exposed all the target issued RED Card information.. not other card information.. unless people stored their card information using Target online web site.

 

[dannyyankou]

In that case it’s even worse if the secure card reader is not the device that’s processing the payment.

That’s not how it works, the card reader still processes the payment. When they scan the barcode, the computer interacts with the card reader.

 

[ecschwarz]

Honestly, if Target turned on NFC that would be great - their readers support it (similar Verifone units to everyone else). Many people that shop there regularly also use Cartwheel, so you'd still have the customer-data-building aspect, and if you tied Cartwheel into an NFC pass, you'd have a slick system (like Walgreens and Kohl's and Coca-Cola's vending machines)...I still have the old barcode pass in Wallet from when the app allowed that.

Since Target doesn't seem interested in that, how about a compromise?

In their app, they have the ability to scan items and the ability to use Apple Pay, Android Pay (not sure about the Android version), stored payment cared, etc. - why not do a self-check-out with that if people are willing to? If security is a concern, there could be a designated station/area for that just like the self-checkout sections that they added to most locations. Other than security, you're cutting down on equipment to maintain/operate and you'd have a system similar to what's used in Apple Stores and Sam's Club (no Apple Pay there). I think the big hurdle would be figuring out loss prevention, but at this point, I'd take in-app Apple Pay over nothing.

Oh well - just spitballin' - at this point, I'll probably just keep using my Discover card in their stores for this quarter (5% back there and Amazon), complain and grumble about no Apple Pay, and then use previously-purchased gift cards here and there next year. It's annoying, and I think what frustrates most of us is that it's probably not a technical hurdle as so much a policy hurdle.

 

[dontwalkhand]

That’s not how it works, the card reader still processes the payment. When they scan the barcode, the computer interacts with the card reader.

Walmart Pay it’s the opposite, the customer scans the barcode shown by the card reader, the code is constantly changing.

 

[kdarling]

We live in a time when everyone should expect to get hacked at some point, I get that. Knowing that however companies should be taking steps to mitigate damages when they are hacked. There should be monitoring and segmenting to identify attacks and prevent them from quickly spreading.

It was a clever hack from an unexpected vector:

http://people.carleton.edu/~carrolla/story.html

POS terminals themselves were what was collecting the information.

---

Reminds me of back when someone (probably Russian) intercepted chip terminals on the way from their factory to the UK and EU. They added extra circuitry to copy the account and PIN and send it at night via WiFi.

Banks of course did not believe customers later on when they said they had never lost their PINs. This is actually a good reason NOT to use PINs, because man if they get compromised, the customer is automatically assumed to be at fault.

It took years before the hacked terminals were finally discovered. And even more years to refund some/most of the customers.

Btw, the only easy way to figure out which POS terminals were compromised, was to weigh them. The bad terminals weighed just a tiny bit more.

 

[thisisnotmyname]

IMO, every major US retailer learned from Target's hack.

It forced most of them to implement end-to-end encryption. E2EE doesn't stop hacks, it just makes the data stolen from hacks pretty much useless.

With E2EE, the Verifone/Ingenico/whatever PIN pad you insert/swipe your card with immediately encrypts your card data (with an encryption key unique to that PIN pad). The retailer doesn't have access to the decrypt keys -- the company they partner with to authorize their payments (or host their payment gateway) does.

The POS/cash register only gets visibility to your partial card number... usually the first six (to figure out what type of card it is), and the last four (for your receipt, and the POS journal). It simply forwards your encrypted card data along for processing at the partner company.

So now hackers can steal/sniff all of the card data they want from most major retailers (something that's virtually impossible to prevent from happening again), but if it's in an environment that uses E2EE, the data is going to be encrypted and useless to them (unless they've also successfully hacked the separate company that holds the decrypt keys).

I like end to end encryption but I also like one time tokens. If the POS gets hacked (which happened in the Target case but that POS did not support end to end encryption) it would still be possible to intercept prior to the encryption (depending upon how much of the hardware the hack was able to compromise). One time token means even if they compromise the terminal they still have nothing of value.

I think you are getting confused between card information vs transaction information. I bet Target's card swipe terminal is secure enough as Target doesn't own it. It's owned by NCR or some other company who must be implementing encryption. Apple Pay is just another variant of that.

Target hack exposed all the target issued RED Card information.. not other card information.. unless people stored their card information using Target online web site.

No, in this case they actually got card data. The POS system they used at the time did not encrypt at source (PINs on the other hand were encrypted at rest) and the terminals themselves were compromised. They were completely owned. I believe they've since implemented terminals that support end to end encryption.

It was a clever hack from an unexpected vector:

http://people.carleton.edu/~carrolla/story.html

POS terminals themselves were what was collecting the information.

---

Reminds me of back when someone (probably Russian) intercepted chip terminals on the way from their factory to the UK and EU. They added extra circuitry to copy the account and PIN and send it at night via WiFi.

Banks of course did not believe customers later on when they said they had never lost their PINs. This is actually a good reason NOT to use PINs, because man if they get compromised, the customer is automatically assumed to be at fault.

It took years before the hacked terminals were finally discovered. And even more years to refund some/most of the customers.

Btw, the only easy way to figure out which POS terminals were compromised, was to weigh them. The bad terminals weighed just a tiny bit more.

Right. I didn't read your link but I remember the findings at the time were that someone used some pretty basic malware that completely exploited their POS system (as in every terminal across the US) and kept it there for over two weeks reading every card transaction that came through.

That's a great anecdote about weighing terminals I sometimes tend towards the tinfoil hat arena and one of the reasons I'm VERY picky about whose cables and USB devices I'll use is the potential for hardware hacks from unscrupulous vendors. Completely irrational but it's my quirk.

 

[ersan191]

Maybe because Apple selfishly blocks NFC usage for anyone other than themselves?

Apple limiting NFC on its own devices has nothing to do with my comment. Target is not supporting NFC on any devices, Apple or otherwise.
[doublepost=1512517104][/doublepost]

excuse my ignorance...but, I was wondering about exactly what you posted.

Is there some layer of Apple encryption on top of the transaction that would give additional protection to someone who has linked their debit cards to apple cash/pay and uses it in store?

Apple Pay Cash is a debit card, and thus has the same lack of protection as any other debit card. Most credit cards have consumer protection in place that allow you to get your money back if you’re unhappy with a purchase and the retailer refuses to cooperate. Some even have extended warranties built in to every purchase you make with the card, or insurance against loss and damage for some items.

Whether you use the credit card through Apple Pay or not - you get the same protections.

 

[magamen]

Probably not to the people who are already using Cartwheel. It is pretty much the same steps they were already using. This is targeting Cartwheel and Redcard users. Target doesn't care about the rest of their customers.

I guess they are going for retention rather than growth?

 

[spacemnspiff]

Second highest usage rate behind Apple Pay. 5.5% usage rate vs 5.1% usage rate.
https://www.pymnts.com/mobile-wallet-adoption-2017/

Thanks for referencing that site, I guess I was expecting it to have as wide of an adoption. On a personal note, I probably use Apple pay for more than 50%(low estimate) of my purchases in physical stores.

Having said that I added the Target App and my Red Card the Target wallet. It doesn't support the Apple Wallet, I have to open the App every time to make a payment, should be faster than Chip and Pin checkout.

On another note, Costco is another hold out for not implementing Apple Pay. It's probably the only other place than Target that I shop frequently at that doesn't have Apple Pay.

 

[Shanesan]

excuse my ignorance...but, I was wondering about exactly what you posted.

Is there some layer of Apple encryption on top of the transaction that would give additional protection to someone who has linked their debit cards to apple cash/pay and uses it in store?

There is no layer of protection from fraud from actual card use which is what Target Pay is about. This isn't really about Apple's encryption layer, but the policies of the banks and what a credit and debit card are.

You're best off to call your bank and make them specifically disable the "credit" portion of your debit card, as it gives no benefits (other than non-debit transactions) and only security holes that most regular credit cards guarantee you (fraud protection).

 

[nutmac]

Ha, that's quite a stretch to include applying for the REDcard and adding it to the Target app as 3/4 of the steps required.

Applying for a credit card, which hits your credit score, is quite a barrier.

And opening the app and clicking wallet button, then aligning the barcode is far more involved than simply doubling clicking on the home/power button to invoke wallet button.

 

[Jayson A]

If you have a Netflix app, a Hulu app, an Amazon video app and an HBO app on your phone then you are doing it already.

That's a bit different. That's like choosing the channel I want to watch. I'm talking about having to do something different at each store. The process should be universally the same no matter what kind of phone you have.

Otherwise, I might as well just use my card because every store has the same swipe or insert feature and it's the same thing everywhere I go.

If a store doesn't have Apple Pay, I just use my card. That's how I'm handling it.

 

[kdarling]

Target, like Walmart, is one of the few remaining major companies that have opted not to adopt Apple Pay, Apple's mobile payments service.

Statements like that makes it sound like they're specifically excluding Apple Pay.

They're not targeting Apple. They're excluding all NFC payment methods.

Is there some layer of Apple encryption on top of the transaction that would give additional protection to someone who has linked their debit cards to apple cash/pay and uses it in store?

There is no special Apple layer. Apple Pay is just their name for a standard contactless payment protocol.

The addition protection you do get, is what all the smartphone based contactless payments use, which is to replace the real account number with a number that cannot be used to make a clone magnetic card, and cannot be used online.

 

[lyngo]

It asks for your PIN to add your card to the app; after that you just open the app and scan the barcode. That is totally unprotected.

Funny... I used it today and the Target app required FaceID specifically for access to the scannable barcode. It doesn’t just stay in there. You have to approve it when using it.

 

[tooloud10]

Applying for a credit card, which hits your credit score, is quite a barrier.

Store cards generally have incredibly low thresholds for credit approval, and it's been repeatedly pointed out that Target offers both credit and debit versions of the REDcard. Anyone that can't get approved for a bank account to link a debit card to probably shouldn't even be part of this conversation.

And opening the app and clicking wallet button, then aligning the barcode is far more involved than simply doubling clicking on the home/power button to invoke wallet button.

Good lord, 'aligning the barcode' is such a laborious activity that it's even worth mentioning? Like I said, some of you guys are getting super dramatic about this.

 

[ShadowXK]

i don't mind them having there own app the problem i have with the "Target" app is that i can't use my visa debit card i HAVE to use a TARGET card

As i have to use Target because of my medical insurance at the CVS pharmacy

 

[PaulRustad007]

i don't mind them having there own app the problem i have with the "Target" app is that i can't use my visa debit card i HAVE to use a TARGET card

As i have to use Target because of my medical insurance at the CVS pharmacy

Get the card. It is free. Once you have in the app, you never need to pull it out.

And you get 5% off with the RED card.

 

[aristobrat]

i don't mind them having there own app the problem i have with the "Target" app is that i can't use my visa debit card i HAVE to use a TARGET card

To add to what @PaulRustad007 is saying, ... if you take a voided check in from the account that your VISA debit works with, Target can get you a debit REDcard that works off of the same account.

 

[ecschwarz]

Honesty, it might be easy to get a debit REDcard or use Target's app, and I can appreciate that. On the other hand, Target has proven time and time again that they have some rather shoddy IT systems (obviously the big breach a few years ago, and as of this December, the recent rampant gift card fraud), so I can understand people not wanting to give Target direct access to their checking account. It may be completely safe, but little "oops" moments here and there haven't given people confidence.

 

[mossyfrog]

Target today launched its own payments platform, allowing customers to pay for purchases in Target stores using a new Wallet feature in the dedicated Target app available on iOS and Android devices.

Target's Wallet feature lets customers pay with their Target REDCard and get Cartwheel discounts and benefits all in one phone scan during checkout.

To use the feature, Target customers need to add a Target REDCard to the Wallet in the Target app. REDCard is Target's store-branded credit card, which offers customers discounts on purchases.

When checking out in a retail store, Target customers will need to open up the Target app, tap on Wallet, scan coupon barcodes and then scan the wallet barcode to make a purchase.

Target's payments service is a barcode-based system, similar to Walmart's dedicated Walmart Pay option, which uses QR codes. While Walmart Pay supports any major credit, debit, pre-paid or Walmart gift card, Target's Wallet appears to be limited to its own REDCards. Target claims that its new Wallet feature is up to four times faster than other payment types when checking out.Target, like Walmart, is one of the few remaining major companies that have opted not to adopt Apple Pay, Apple's mobile payments service.

As a result, Apple Pay is not available in Target's retail stores, but Target does offer Apple Pay as a payment option in the Target app when making online purchases.

Target is a founding member of the Merchant Customer Exchange (MCX), a now defunct consortium of retailers that planned to launch a payment platform called CurrentC to compete with Apple Pay. CurrentC has been delayed indefinitely, and many MCX members like Best Buy and Rite-Aid have begun accepting Apple Pay.

Earlier this year, Target said it had "no plans" to add in-store support for Apple Pay.

Article Link: Apple Pay Holdout Target Launches New In-App Mobile Payments System

UGH! Yet another card in my wallet. I will never use this red card. I love Target but come on!