Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Users Reporting Apple Pay Problems After Changes in iPhone Security Status

AllieNeko said:
I thought you were ranting about not using Apple Pay and being responsible for your own security. My mistake, I never would've guessed you were really meaning users were responsible for Apple's procedures to auto-erase data not working properly.
Click to expand...

Yes, i was ranting that u should not rely on Apple Pay (yet), because of this issue.. and probably more to follow (who knows)

But users just like to immediately use the latest and greatest, without taking time to see if there are issues before they pounce...

Not saying it doesn't work, just stating, its not always what it seems.
 
Do it manually and you are fine; otherwise you get a refurbish iPhone!

Just one of those safety steps built-in for user protection.
 
BlendedFrog said:
Doesn't really have to do with this problem but did you really get AP to work at home depot? In which city do you live that it worked? I live in the suburbs of Chicago and I have yet to actually see it work.
Click to expand...

I just used it at Home Depot a couple of weeks ago. You go to the self service kiosk. On the machine where you slide your CC, you just wave your iPhone at it. Thumb your phone, and walk out.
 
THIS is a bad thing cause why?

Sounds like a bad implementation of security.. BUT (There is always a but) Seems like this could be partially intentional to keep people from stealing the card you now keep in your drawer because you no longer need it and loading it onto another phone that they control.
 
ttss6 said:
iCloud was having issues on my 6+ so I signed out and back in. Later on, I wanted to use :apple: Pay to make a purchase only to realize my cards were gone :/ If it still requires my fingerprint to work, why were they removed in the first place? Heck you can't even unlock my phone without my fingerprint or code..
Click to expand...


I would think it is because of the tie in with icloud for remote erasing the phone and or remote clearing of the cards. No iCloud account, no remote wipe available. One of the security featured now is you can unauthorize a card if device lost/stolen.
 
Tech198 said:
Yes, i was ranting that u should not rely on Apple Pay (yet), because of this issue.. and probably more to follow (who knows)

But users just like to immediately use the latest and greatest, without taking time to see if there are issues before they pounce...

Not saying it doesn't work, just stating, its not always what it seems.
Click to expand...

For 99.999% of people there is no issue (not all people who actually do those action get the problem, so its a rare thing), and all others get a phone, so what is problem?
 
newellj said:
In the past seven years I've had at least five or six card fraud incidents. One was ~$17,000 and the other was just under $12,000. Citibank didn't ask for a penny from me in connection with any of these, but the cost of that is built into the credit card cost structure that you (thank you! ;)) and I :)() pay. I agree that it's easy and convenient, but a more secure system would presumably save us all a lot of money.
Click to expand...

Yep, I too have been hit multiple times over the past few years. Each time I simply had to identify the purchases that were not mine. Replacement cards were usually sent overnight if I needed them.

--

Re: the idea that a more secure NFC payment system will save "us" money, I just don't see that happening.

Heck, the CC brands are switching to more secure chipped cards and the merchant fees aren't going to go lower. The only thing that changes is liability.

As for customer APRs for those who don't pay on time, they won't change since they're not based on security, but rather the ability to pay back.
 
JayLenochiniMac said:
Not exactly convenient to have to go to the bank to get cash and use that (and lose cash back rewards and the ability to make online purchases to boot). Two different cards were compromised at the same time in my case. A merchant pretended that my Amex card didn't work so I handed him my Citi card. Hence both were skimmed at the same time and cloned for the same unauthorized charge. Apple Pay reduces this type of incident.
Click to expand...

Heh. You fell for it. I don't mean the merchant. I mean thinking I was seriously saying that dealing with credit card fraud is convenient compared to using Apple Pay.

here's the /sarcasm tag for you.:p
 
JayLenochiniMac said:
You're not making much sense.
Click to expand...
I was kidding in my first post about how easy it was to deal with identity theft and credit card fraud.

You answered as though I was seriously arguing that all that hassle was better than having a system that makes it harder for people to steal your credit card info.
 
doelcm82 said:
I was kidding in my first post about how easy it was to deal with identity theft and credit card fraud.

You answered as though I was seriously arguing that all that hassle was better than having a system that makes it harder for people to steal your credit card info.
Click to expand...

Believe it or not, people have disputed the need for Apple Pay by saying why bother if you won't lose anything with a credit card, arguing your points but non-sarcastically.
 
KeepCalmPeople said:
So...another bug rendering another tentpole feature of iOS 8 unusable (ref. Health app). Joy. I'm looking forward to seeing the buggy mess that will be iOS 8.2 with the Apple Watch. I foresee all sorts of shenanigans...
Click to expand...

Guess the haters have nothing to do this new years except hate.
 
JPSaltzman said:
Sounds like it's still easier just to get out your wallet and your credit card, swipe it, and sign, and go on your merry way.
Click to expand...

Or in my case I still carry cash because in my early years it was too easy to mount up debt. I've been credit card free for 45 months. It is possible to live off cash and a debit card. And by next year April my motorcycle and truck will be paid off. I will only have my mortgage left. I do all my own vehicle and home repairs so no need to have some emergency credit card on hand; just cash.
I'm 40 and I want to be 100% debt free when I retire. Now I believe that if you can't pay for it in cash you should not by it. Buying these toys on credit cards/loans will give you sleepless nights.
 
In this case better to have to deal with this issue than to have the possibility to have financial data stolen.

----------
gnasher729 said:
I suppose a guy in Switzerland would be very careful what he says. If he says it doesn't work and it does, everything is fine. If he says it works and it doesn't, then the phone doesn't work as described and he has to take it back if you complain. Even if he's heard that it works, he wouldn't admit it.

----------



A small number of people with a problem. A problem that is obvious so they won't be caught out. That doesn't make it unusable in any way.
Click to expand...
Don't you know? Every issue has to be dramatic on MR....
This is the "Apple is doomed" place, after all.....
 
JayLenochiniMac said:
Believe it or not, people have disputed the need for Apple Pay by saying why bother if you won't lose anything with a credit card, arguing your points but non-sarcastically.
Click to expand...

The tokenization used by Apple Pay and Google Wallet, as well as the way PayPal works, all of which hide our actual payment accounts, are definitely a Good Thing to prevent fraud.

I think that some of us are simply noting that any extra protection is not a huge change for the normal credit card consumer, because we're covered for fraud anyway. It's mostly useful to those who are ultimately held liable (e.g the banks and merchants).

(I've had credit cards for over forty years now. Fraud has been a very minor hassle. The biggest inconvenience has been to sometimes have to update stored online numbers, which is why I no longer use the same cards for both online and in person. It's the in-person cards that have been compromised.)

That said, I can see how such extra fraud protection could be especially important to, say, someone using a debit card, who also has a low bank balance and has little or no ability to temporarily withstand a fraudulent withdrawal while it gets straightened out.

Again, though, unless they use something like Apple Pay everywhere, they're only as safe as the lowest security used anyplace where they also swiped the same card account. I.e. being secure paying at Walgreen's doesn't mean anything if the same card is swiped at a different merchant that gets hacked.
 
Last edited:
The Oak said:
Yes, Capital One was proactive due to the Home Depot hack and sent me a new card.

I registered my card to Apple Pay during the transition from old to new card.

I have used Apple Pay many times at Home Depot since I received the new card and registered it to Apple Pay.
Click to expand...

I had the same thing happen (tried to register old card while new one was 'in transit'). It wouldn't register because the old account is technically "closed" (even though the old card was still in use).
 
MacRumors said:
The issue likely involves the secure enclave on the iPhone that stores the Apple Pay information. It is possible that the automatic removal of Apple Pay information does not clear the enclave properly, leaving behind details that block the addition of credit card information.
Click to expand...

Apple Pay account information is stored in the NFC Secure Element.

The means to communicate with the NFC Secure Element is what is stored in the CPU Secure Enclave.

According to Apple:

The Secure Element will only allow a payment to be made after it receives authorization from the Secure Enclave, confirming the user has authenticated with Touch ID or the device passcode.
...
Communication between the Secure Enclave and the Secure Element takes place over a serial interface, with the Secure Element connected to the NFC controller, which in turn is connected to the application processor. Even though not directly connected, the Secure Enclave and Secure Element can communicate securely using a shared pairing key that is provisioned during the manufacturing process.

The pairing key is generated inside the Secure Enclave from its UID key and the Secure Element’s unique identifier. The pairing key is then securely transferred from the Secure Enclave to a hardware security module (HSM) in the factory, which has the key material required to then inject the pairing key into the Secure Element.

The encryption and authentication of the communication is based on AES, with cryptographic nonces used by both sides to protect against replay attacks.

When the user authorizes a transaction, the Secure Enclave sends signed data about the type of authentication and details about the type of transaction (contactless or within apps) to the Secure Element, tied to an Authorization Random (AR) value. The AR is generated in the Secure Enclave when a user first provisions a credit card and is persisted while Apple Pay is enabled, protected by the Secure Enclave’s encryption and anti-rollback mechanism. It is securely delivered to the Secure Element via the pairing key. On receipt of a new AR value, the Secure Element marks any previously added cards as deleted.

Credit and debit cards added to the Secure Element can only be used if the Secure Element is presented with authorization using the same pairing key and AR value from when the card was added. This allows iOS to instruct the Secure Enclave to render cards unusable by marking its copy of the AR as invalid under the following scenarios:

• When the passcode is disabled
• The user logs out of iCloud
• The user selects Erase All Content and Settings
• The device is restored from recovery mode

Using the pairing key and its copy of the current AR value, the Secure Element verifies the authorization received from the Secure Enclave before enabling the payment applet for a contactless payment. This process also applies when retrieving encrypted payment data from a payment applet for transactions within apps.
Click to expand...

So it looks like some kind of bug related to the AR key storage.

Touch ID is the default method if available but the passcode can be used at any time instead of Touch ID. A passcode is automatically offered after three unsuccessful attempts to match a fingerprint and after five unsuccessful attempts, the passcode is required. A passcode is also required when Touch ID is not configured or not enabled for Apple Pay.
Click to expand...

On a side topic, according to Apple, Touch ID is not required for Apple Pay. (We already know it's not required for older devices when using the Apple Watch.)

If you turn off requiring Touch ID for Apple Pay using the Settings page below, Apple Pay should keep the cards but now ask for the Passcode. Can someone please confirm this? Thanks!

touchid_settings.png
 
Last edited:
kdarling said:
I think that some of us are simply noting that any extra protection is not a huge change for the normal credit card consumer, because we're covered for fraud anyway. It's mostly useful to those who are ultimately held liable (e.g the banks and merchants).
Click to expand...

You're missing the fact that even though you and I don't have to pay directly when there's a fraud incident, we _all_ pay for that indirectly. Banks and merchants simply pass those costs along to us.
 
I have restored my 4.7" 6 2X after updates. Each time logging out of iCloud.

I then restored from the backup, and added back the two cards I use. No issues noted. I did not change any passwords. Used Apple Pay today. :apple:
 
had this issue when the bank issued me a new card. i deleted the old card activated the new card but would not complete apple pay setup. dont remember what they did but apple or maybe it was the bank got it working
 
kdarling said:
(I've had credit cards for over forty years now. Fraud has been a very minor hassle. The biggest inconvenience has been to sometimes have to update stored online numbers, which is why I no longer use the same cards for both online and in person. It's the in-person cards that have been compromised.)
Click to expand...

Could not agree more. Separate cards for personal, and online. Both incidents I've experienced over the past 30 years were both person to merchant. Excellent advice. :apple:
 
KeepCalmPeople said:
So...another bug rendering another tentpole feature of iOS 8 unusable (ref. Health app). Joy. I'm looking forward to seeing the buggy mess that will be iOS 8.2 with the Apple Watch. I foresee all sorts of shenanigans...
Click to expand...

So in other words, your handle "KeepCalmPeople" is the complete opposite of your perspective on the world...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back