I'm talking apple pay. With Apple pay only the DAN and a one time use cryptogram are transmitted via the merchants system. Thus, nothing of intrinsic value is there for a memory scraper to get.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to CVS/Rite Aid Controversy: 'Overwhelmingly Positive' Response, Working to Add Merchants
- Thread starter MacRumors
- Start date
- Sort by reaction score
I'm talking apple pay. With Apple pay only the DAN and a one time use cryptogram are transmitted via the merchants system. Thus, nothing of intrinsic value is there for a memory scraper to get.
And my point was we don't know that. That bank wasn't verifying cryptograms. We don't know that the Apple Pay data can't be reused. Only that it shouldn't be able to be. Just like any EMV transaction data.
That's an issue with the bank, not with Apple Pay, technically.
Every system designed to protect data is vulnerable if not implemented properly.
However, if your bank has implemented it properly, then your DAN could be published in the NY Times and still be secure. Any use of it with an improper cryptogram would be rejected.
If the bank has NOT implemented it properly - as in the article - it's still going to impact only customers of that bank, not all EMV/Apple Pay customers "exposed" in a breach.
It definitely can't be used or re-used. That's why Visa MC and AMEX are all behind it (due to savings in fraud). You can post your DAN on a bill board or on this forum. Ain't nothing anyone can do with that except the issuing bank. And if someone gets into the issuing bank, that's a different story.
The fact is, hackers go for low hanging fruit. Malware scrapers got full track 1 and track 2 data when decrypted in memory. That doesn't happen with Apple Pay (there is NO credit card data transmitted). So your fears of hacking (where it accomplishes anything) are not justified.
I'm not afraid, but don't say definitely can't be reused. They say that of the cryptograms for EMV as well, but look at what I linked.
It's not SUPPOSED to be reusable (unlike magnetic stripe track data), but would a bank authorise the same data again? That's not an Apple decision, or a Visa/MC network decision. All they can do is tell your bank "hey this data isn't right" - but authorisation is ultimately up to the bank. If it isn't implemented properly, it is possible a replay attack could allow fraudulent transactions.
If you'd asked me a week ago I'd have said "NO bank is stupid enough to authorise a very obviously fraudulent transaction based on replayed EMV data with injected PAN and expiration date info" - but then it happened. Lots of them.
There's a big difference between a mass data breach involving millions of credit card #s and a potential one-off instance where a bank was somehow fooled into re-using a cryptogram with a DAN (although not from the device that generated the cryptogram). The cryptogram in Apple Pay is meant to ensure the transaction came from that device too.
Which is no different from the data generated by an EMV card. Again, in this attack, cryptograms from completely different cards were used. It was the exact same protection as Apple Pay, and the transactions should have never been authorised. They were clearly fraudulent and made no sense.
To give you an example, it's the same as if someone took the DAN and expiration date from an Apple Pay user (easy to get) and injected them into a transaction from a completely different card. This should obviously NEVER get approved, I'm not arguing it should. But it did with these cards from Home Depot - not once, but on massive numbers of transactions.
All the security of Apple Pay is great, if it is actually implemented properly by the partner banks. Which is probably is, and I'm sure Apple is auditing their partners on this as well. However, it's wrong to say such an attack is impossible. Better is to say it's impossible IF the transaction data gets properly verified at authorisation time.
Walmart, CVS, Rite-Aid, Best Buy, Lowe's, Old Navy, Target, 7 Eleven, & Dunkin Donuts make up a pretty significant chunk of where many people shop every day. That's a pretty significant hole to be missing....
With QR codes, i can see people standing in line, and taking snap-shots with their "other" smartphones or another iPhone.
So ya, security risk...
But just like anything, while this is possible, how many people have u actually seen do this, and how likely will people do this unless they had an intend to go after u explicitly ?
So ya, security risk...
But just like anything, while this is possible, how many people have u actually seen do this, and how likely will people do this unless they had an intend to go after u explicitly ?
MCX is indeed in a precarious position, indeed.
When 97% of your payment devices are your "enemy", it's not a good position to be in.
But most can be replaced - if only until these merchants see the light - assuming they do.
Remember, they need us more than we need them. If Amazon alone decides to accept in-app Apple Pay then you could pretty much eliminate Walmart (unless you need something at 4am urgently or like to take snaps for peopleofwalmart.com - to each their own).
As for me, I can replace 7-11 and Dunkin Donuts (for donuts anyway) with Hess (mine sells DD). Walgreens replaced CVS. Home Depot replaces Lowe's, Chevron or Hess replaces Exxon, McDonald's replaces Wendy's, etc.
The only conundrum I have at the moment is groceries. Walmart, Target, and Publix are MCX members. The only hope for me is Winn-Dixie, who isn't an MCX member, but who doesn't appear to have NFC anywhere just yet. There is a Whole Foods some distance away, but in reality I will likely have to just swipe at Publix for the moment. I could just get Target Gift Cards via their app and Apple Pay and use them at Target, but they aren't really my choice for grocery shopping. Now if Winn-Dixie started accepting NFC, I'd be switched to them faster than I could type about it.
are we sure that all of the stores are getting rid of their NFC because I went to target last week and they had just put in new scanners for NFC so it doesn't make much sense to get rid of them now. maybe some of the stores will have an option for both. I am not sure why companies just can't have both options to make the customers happy
Best Buy has always been behind, when I worked at the Apple Store, I sent customers to Best Buy to buy things we stopped carrying at the Apple Store, like Blank CD-ROMs or legacy operating systems. Last year they still had Windows 95! They also, (this was last year) continue to require that customers keep paper receipts for return if you decline to hand over your email. (Lets look it up by payment method. Last 4 of a card is enough to pull up a transaction)
But even when you embrace technology, it's no guarantee that you'll beat your competition. Kodak invented digital photography. Barnes & Noble didn't invent Kindle, but they did come up with the Nook, had a discount card that was ACTUALLY a discount card, and for these reasons they outlasted Borders.
But now Kodak is gone and Barnes & Noble is in big trouble.
And it's no surprise why. I'm only one, but even my own habits have changed over time. I never bought Kodak cameras after I grew out of my instamatic as a 13 year-old kid, and more recently I've stopped buying magazines and books in paper form. I have a Nook, but now magazine publishers all have their own apps for iOS. I hate subscriptions, but a magazine sub via my iPad costs about 3% of what the paper magazines would cost if I bought every month's edition in the store. My iPad has actually paid for itself in the savings I've realized just on magazines!
And these wonderful adopters of technology will probably still fade away unless they can find a way to reinvent themselves, and quickly too.
No Apple didn't invent it, but Google Wallet in the US does not use payment tokenization. It is far less secure than Apple Pay is. Apple Pay modeled its payment security on EMV 2 contactless payments. The only accepted contacless option in most other countries with large consumer markets. The payment is authenticated locally, does pass payment information over the internet, therfore never comprimising customer info.
I worked at Best Buy about 3 years ago....most of this isn't true (at least for my store).
Heck I tried to buy Windows 7 last year at my local BBY and all they carried was Win8.
I agree BBY is behind in a lot of respects, but not this behind.
The origins of the current program were seen under Reagan.
In any case, what we are talking about here is ignorant people using the term Obama Phone, when Obama had nothing whatsoever to do with the program.
The video that went viral of the crazy African American woman ranting about her Obama phone, was nothing other than a crazy person ranting, and had nothing to do with the facts of how subsidized phones are distributed among the poor.
I therefore take offense at the ignorant use of the term 'Obama Phone' as part of the unfounded narrative that Obama is unnecessarily benevolent to the poor.
No, that is not tokenisation... it's an actual prepaid card issued by Bancorp Bank, but stored on your phone.
Wait a minute. Meijer is an MCX member that accepts Apple Pay. And didn't the MCX execs just go on record saying that there's no exclusivity for their member companies?
OK, I guess I stand corrected. That's.. Perhaps.. Not so good.
----------
Well, there's a lot of doublespeak going on.
NY Times says that sources in MCX member companies said that there is an exclusivity clause regarding competitive mobile payments.
CVS said they "CAN'T" accept Apple Pay. Makes sense if they are bound by an exclusivity clause, since obviously they actually PROCESS the transactions.
Now MCX says that there is NO such exclusivity clause; that MCX members can accept whatever payment method they choose.
So which is it? The only way this makes sense is if MCX did an about-face and unbound their members from the exclusivity clause this week.
<shrug>
You also need to remember, the only folks who will be taking their business elsewhere (at this time) are some percentage of iPhone 6/6 Plus users, so I don't know how much impact that will have.
Personally, even if I had a 6, I can't imagine I would let it drive changing my patterns for the sake of some businesses not accepting Apple Pay.... but that's just my opinion. I guess I won't find out because Apple didn't include any legacy hardware in the Apple Pay rollout.
That's fair. I work in information security, and given what I know about the breaches that have occurred, I now *really* dislike swiping my card anywhere - I think of it as Russian Roulette ("Will THIS be the merchant that sends me the next notification letter? Is my card number being observed.... NOW?").
Therefore, I am all about using Apple Pay as much as possible, and yes, within practical constraints, will shift purchases to those merchants who support it. Some are more easily replaced than others. In many cases (sit-down restaurants, for example) I don't have much of a choice. However, I expect that I will within a year or two.
It's funny how some people have the mindset that the merchants who support Apple Pay today are all there will ever be...
