Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Attachments

  • IMG_0022.JPG
    IMG_0022.JPG
    1.3 MB · Views: 194
Exactly my point. Wasn't Apple just in an iCloud hacking scandal?

As I understand it, there'll be nothing to 'hack'. Apple Pay doesn't store anything with Apple. There's a secure key held by your device (not by Apple), which is used to cryptographically generate one-time-only tokens for each purchase. It is this token which is sent to the NFC reader and to your bank.

So, for someone to clone your Apple Pay 'card', they would need to:

a) Hack your bank to obtain their half of your key. Bear in mind all storage on iPhones are encrypted by default.
b) Hack your device to obtain your half of the key
c) Know the algorithm used to generate tokens from your key
 
Exactly my point. Wasn't Apple just in an iCloud hacking scandal?

No. Some idiot celebrities used passwords like "password" and "123456" and low-tech "hackers" walked through the front door.

It's not a hack. It's idiots that don't have even slightly strong passwords.
 
Banks get hacked every single day, companies get hacked every single day, your government was hacked and had secrets spread all over the world.

I don't understand your point of view at all. You say everybody gets hacked, but you also extol the security of a certain PCI product. Since everybody gets hacked, it's okay if CurrentC gets hacked as long as it's a front-end system?
 
As I understand it, there'll be nothing to 'hack'. Apple Pay doesn't store anything with Apple. There's a secure key held by your device (not by Apple), which is used to cryptographically generate one-time-only tokens for each purchase. It is this token which is sent to the NFC reader and to your bank.

So, for someone to clone your Apple Pay 'card', they would need to:

a) Hack your bank to obtain their half of your key. Bear in mind all storage on iPhones are encrypted by default.
b) Hack your device to obtain your half of the key
c) Know the algorithm used to generate tokens from your key

Please stop responding without reading context.

My point was people get hacked it has no bearings on their payment tech.
 
I don't understand your point of view at all. You say everybody gets hacked, but you also extol the security of a certain PCI product. Since everybody gets hacked, it's okay if CurrentC gets hacked as long as it's a front-end system?

Nope, what I am saying is their front end systems have nothing to do with their back end, mostly third party managed, payment systems.

Most banks use middleware only to talk to the systems.
 
Exactly. I am an Apple enthusiast. Own nothing but Apple products and worked for the giant fruit company for 7 years.

That does not mean I have blind allegiance.

I've already pointed out "blind allegiance" has nothing to do with it.

You seem to have ignored my last few posts, which I assume means you have no rebuttal.
 
Read more posts. Don't just reply to what you read, check the context.

Okay, let me add some context.

Case 1: Party A hacks Party B's systems and gets info on Party C. Party A then uses said info to gain access to Party D's systems because Party C used the same authentication info in both places. Has Party D's system been hacked? No. Breached? In a sense, yes, but also in a sense no. Apple is Party D.

Case 2: Party A hacks Party B's systems and gets info on Party C. Has Party B's system been hacked? Yes. MCX is Party B.

So, let me repeat, why did you bring this up and why are comparing these cases?
 
This is awesome! Just the beginning of the problems we are going to see regarding issues with storing personal customer payment data and information in the cloud for mobile payments. It's part of the reason that Apple Pay is going to succeed: security.
 
Here's the thing... people argue about whether one is more secure than the other...

CurrentC needs to maintain a database of checking account numbers (with associated routing numbers). That database needs to be accessed by the payment processing systems. It contains numbers that can be used within the ACH system to extract money. That database is a GIGANTIC target. No pun intended.

ApplePay uses Device Account Numbers that are present in a database at Visa. Those numbers aren't useful outside of the Visa environs, and you cannot present one to Visa and have them do anything useful with it, because they will insist on a challenge authenticated with a private key only present within the secure element of the owner's phone. So a collection of device account numbers is worthless - there is no "wholesale" attack - only a possible "retail" attack based on stealing people's phones and using them before they're deactivated. Visa's database is a target, but it's been one for decades now and they're well practiced at keeping it secure - certainly more so than the retailers.
 
Liability is all that matters when i think of this issue. I am currently protected by Amex. I know when i have had issues with my bank it is a much larger pain to correct the situation than it was with amex. CurrentC uses my bank. They assume no liability for fraud. This is where i depart from them. I know people are going to dig into the technical merits of each and i commend some one for knowing enough to explain it in detail all be it a little heavy handed. I just have no interest in taking on liability risk that i do not have now for a minor discount. If you had asked me a few months ago i might have been much more likely to say i might try it, before my cards were hacked and used in person at a store for more than a grand.

I do not know if apple pay is more secure less secure or equal to normal emv chip card. I know that it with google pay leave me with no liability if something goes wrong for what ever reason. That is where i think most people really are they don't want to have to sort out issues that happen for what ever reason. I think most people want there purchase and not have to worry about it.
 
No. Some idiot celebrities used passwords like "password" and "123456" and low-tech "hackers" walked through the front door.

It's not a hack. It's idiots that don't have even slightly strong passwords.

It's probable that they were not _that_ stupid. However, a password that gives reasonable protection to a random person doesn't give reasonable protection if someone targets you specifically. For example, if you add your phone number at the end of your password, that makes it practically unbreakable for anybody who doesn't specifically target you, but gives very little protection otherwise.
 
I really do kinda feel sorry for the MCX consortium. They made a nice effort to come up with their own little system.

Have you seen how people are supposed to actually use it?

You fire up an app on your phone. The app uses a camera to take a picture of a QR code somewhere on the cash register display that tells the app the details of the present transaction.

The app then asks the user to approve the transaction. The user does so. The app then presents a QR code that you then present to the checker to scan with their own barcode scanner. At which point, the circle is complete.

They really expect people to prefer that to swiping a debit card and entering their PIN? It's an insane Rube Goldberg machine.
 
Please stop responding without reading context.

My point was people get hacked it has no bearings on their payment tech.

Log-in to an account using the account's credentials is not what I'd call a hack. People basically give away their credentials through social engineering. It is not hack in the traditional sense but is the way most indiviusal user accounts get compromised.

The word hack is abused these days. Ripping off target and the like, these are hacks, but those systems are barely protected, so a baby programmer could do it.
 
Please stop responding without reading context.

My point was people get hacked it has no bearings on their payment tech.

Umm, ok. That was my one and only comment in this thread. And apologies for discussing the relative impact of an iCloud hack upon Apple Pay in a discussion nominally about the security merits of competing mobile payment systems.

*backs slowly away*
 
Because what I am showing you is the folly in the ideology that a companies email is hacked therefore their processing system is faulty. When Apple gets hacked its the users bad passwords but with CurrentC its because they are stupid failures.

Well, we can examine Apple's security record versus Target, Best Buy, 7-11, Exxon, Michael's, KMart, and Wal-Mart. Apple will look very good by comparison.

But in reality, a more realistic comparison is retail versus financial, and even there, financial is looking better.

I work in Information Security and I have seen some pretty serious lapses in judgment when it comes to deploying effective security. Such thinking tends to be pervasive.
 
So as not to be complicit in CurrentC's security woes, and to protect the security of their customers, it would be appropriate for both Apple and Google to pull the CurrentC app from their respective stores.
 
I have a extreme dislike toward entity that deliberately disrupt the use of technological innovation. So yes Im f'in pissed

don't how to really answer this. bitcoin is far more innovative than applepay and is still accepted at many merchants even cvs and wallgreens. so i really have no horse in this race. bitcoin is far more technologically innovation than apple pay will ever be. so no need for me to use such a sub-par system like applepay

The issue is that MCX has required merchants to use CurrentC exclusively. This means that there is no choice at those merchants. It's not just a matter of someone wanting to use CurrentC at Wal-mart and someone else wanting to use Apple Pay. There's no choice.

Obviously the technology is there at Rite-Aid and CVS to allow Apple Pay to "just work" without any effort on the part of the Rite-Aid or CVS.


you always have a choice my friend. i use bitoin for all my cvs and wallgreens purchases so i really see no disruption on my side. plus bitcoin is far more secure than applepay will ever be.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.