Apple Pay itself should, in theory, cut down on fraud because it makes stealing credit card information almost impossible. Each time a transaction takes place, Apple generates the equivalent of a new credit card number so the merchant never actually sees a customer’s information.
The vulnerability in Apple Pay is in the way that it – and card issuers – “onboard” new credit cards into the system. Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process “frictionless”, the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early.
The banks, desperate to become their customers’ default card on Apple Pay – most add only one to their iPhones – did little to build their own defenses or to push Apple to provide more detailed information about its customers. Some bank executives acknowledged that they were were so scared of Apple that they didn’t speak up. The banks didn’t press the company for fear that they would not be included among the initial issuers on Apple Pay.
It seems the Apple Pay fraud is a bit more complex than it just being the banks’ fault. This is what happens when one company becomes so big and dominant that everyone else dances to their tunes. We’ve seen it before in technology, and it seems we are entirely unwilling to learn.
In any case, letting a secretive, closed technology company take care of my payments seems like an incredibly stupid thing to do. I much prefer our banks to handle it – they’re shady, too, of course, but at least here in The Netherlands, there are at least a lot of government and media eyes focussed on them, and they have far stricter laws and regulations to adhere to than a random technology company.
Thom must have totally missed the problem here. Pay is used as a platform for fraud, like all payment platforms.
That doesn’t make using Apple Pay a stupid thing to do. That’s like saying you shouldn’t trust Visa (which is WAY more closed than Apple) because there is Visa fraud.
In fact, Pay is an incredible success and it’s generally safer to use than flashing credit cards and pin numbers.
Developed nations moved beyond credit cards decades ago.
Really? What do they use instead of Credit/Debit Cards and systems such as Apple Pay?
Euro notes and coins perhaps?
Pin and chip using debit cards. You equate credit/debit cards but they are *entirely* different. For a country like the US – where credit cards are used for just about everything without any authentication – Apple Pay is an improvement.
For countries that use pin and chip with debit cards and do not use credit cards, Apple Pay is just a little bit more convenient – but not more secure.
Edited 2015-03-17 10:50 UTC
That’s just simply not true.
Im a US citizen, a geek about financial systems, and I am very, very familiar with how Apple Pay works internally and externally and how CnP works in Europe…
Everything single thing he said is absolutely true. Apple Pay is only more secure concerning certain vectors (PIN protection being one of them). It is less secure in others…
Edited 2015-03-17 17:57 UTC
So you have no actual example how it is less secure. Good argument.
That is simple. It is less secure because under the hood it relies on the current credit card system, and THAT system is already obviously less secure. In other words it cannot secure your real credit card numbers if you use them outside of Apple Pay, and it does nothing to keep you from doing that. And you will invariably have to do that from time to time because not everyone will accept Apply Pay.
Im talking about the security from a holistic point of view… I realize Apple Pay is not itself at fault for securing things outside of its scope, but the mere fact that it augments the current system as opposed to replacing it makes it less secure by default (than native CnP).
Now once it evolves to using native EMV then that argument disappears. But it doesn’t work that way yet…
Edited 2015-03-17 18:24 UTC
Can you explain to me how to use chip and pin to buy something online?
I can’t figure out where in my laptop I insert the card.
Cute… I didn’t say CnP had no problems (in fact, I said the opposite in a few replies). I said that Apple Pay has problems too (in its current iteration). They both have problems, just of different kinds.
Once Apple Pay moves to native EMV (which is pretty much a given) the current flaws mostly disappear. Once that happens I think in many ways it is far superior to CnP, plugging some of the holes in it without much downside at all. But that hasn’t happened yet.
Ok, I don’t think you understood what I was trying to say
What exactly is the difference that you are referring to here? Obviously Chip and Pin cards DO use the current credit card system for buying things online.
The scope is different.
In CnP you get someone’s debit card number and a few other things and you can make fraudulent card-not-present payments – no argument. There is no vector, however, to clone the actual card… If they ALSO gets your PIN somehow it really doesn’t matter – the PIN is not of much use without the physical card. They can’t for example go to an ATM and cash out your account.
In Apple Pay, there is still a physical credit card floating around, and it still has a mag stripe on it, it can still be cloned, and you will still need to use it occasionally, often in ways that make it susceptible to being cloned. Apple Pay doesn’t do anything about this. They just bolted on another mechanism. If someone gets the magstripe and the PIN they essentially own the account…
Im not trying to take sides (in fact Im trying NOT to take sides). Im just pointing out both system have problems and in the grand scheme of things, as things are now, you can’t really point at Apple Pay as it is implemented in the US as a major improvement over what the EU already has.
It IS a major (gigantic!) improvement over what the US has now, but it is only marginally better than CnP in some ways, and marginally worse in others. Im really not faulting Apple Pay itself, its more of a testament to how bad what it is trying to replacing was…
However, if it ever rolls out in the EU it will likely take the form of native EMV. And at that point it will have quite a few security advantages and no real disadvantages that I can see. But none of that is set in stone at this point so well have to wait and see.
Ok, thanks for explaining what you meant.
Have you seen an emv card without a mag strip on it?
I thought that they all had them as back ups, which means that … its easy to clone.
They all (almost all?) have magstripes – but virtually no vendors in countries that have switched to EMV have terminals that even read them anymore.
More importantly, it is no longer considered as proof of card being present in the transaction handling systems in EMV countries. It isn’t totally useless, as some can (and have been) stolen and used in other countries… Ironically usually the US.
Totally agree with Thom, pushing your banking requests through a US company just seems like complete insanity.
We’ve not used credit cards in the UK for over a decade, and on my trips to the US I’m surprised that I still have to order a credit card from my bank before I go so I can buy stuff. (I cut it up on my return)
My wallet rarely leaves my pocket, my phone is always in and out, being left around, and occasionally being lost. Relying on it for payment just seems awkward and prone to error.
Numbers talk. You have a minority viewpoint (everybody and your grandma carries a smartphone these days)
I have apple pay and absolutely love it in practical use. Once Google gets a similar option out, my wife will surely use her Android phone as a wallet as well.
This is a no-brainer. Really.
Numbers do talk, and there are zero Apple Pay customers outside the US. I’m sure there’ll be people who sign up to it, but it’s just not needed here in Europe like it is in the States.
There’s a world outside of the US, and my viewpoint is more inline with that world.
Apple Pay has not launched in Europe. Curiously, you left that part out.
I didn’t feel the need to state the obvious.
You picked up on that, but didn’t pick up on the obviousness of your “zero Apple Pay customers outside the US” comment? That much should be obvious as well.
So you leave out context, but you dont forget to add the not-so-subtle US bashing at the end? Interesting.
I did. I was referring to you saying that ‘numbers talk’ and that I have a ‘minority viewpoint’
The numbers are zero, because there are no customers outside of the US. Also, how can I have a minority viewpoint when there are no customers here, and 99% of people here have likely never heard of Apple Pay, with 99% of people (even the very poor) having a chip and pin debit card.
I also didn’t bash the US in any way???
It is not because it a minority(?) viewpoint that is not correct. Combining functionality into a single device like payments in a iPhone, increases not only the ease of use but also the opportunity for criminals. If one’s iPhone gets stolen or lost, the risk for negative consequences is just booming.
For the same reason I wil never use a car opening on a Apple Watch. There is nothing wrong with single purpose car key.
The “no brainer” in a security environment means actually “no brains”
Edited 2015-03-17 13:03 UTC
You miss the important part: people don’t care about security and privacy any more. Like it or not. They want convenience.
So get ready for the future: your phone will replace your wallet, including the drivers license, discount cards and, yes, credit and debit parts.
Digital distribution is so convenient and saves to much money for the issuer that dealing with criminals is worth it.
Just like email replaced mail, remember?
You start your argument saying Apple Pay is good because it’s “generally safer to use than flashing credit cards and pin numbers” and end it by saying “You miss the important part: people don’t care about security and privacy any more”. Something went awry somewhere.
As it happens I broadly agree with your point though: Apple Pay may add new fraud problems for the banks, but for individual users it potentially increases security/privacy by shifting trust from PIN terminals to your iPhone (I’m undecided which it’s safer to trust in general).
The whole process (Apple Pay, Credit Cards, Chip & PIN) is all messed up anyway. It doesn’t makes sense to tell the retailer to ask the bank for the money: as a customer I should be dealing directly with my bank, telling them to transfer the money to the retailer’s account. Or using Bitcoin to avoid the bank entirely.
Nope. 1) Apple Pay is safer, 2) Despite that, people don’t care.
Logical integrity check succeeded.
How do you save money by using a an iPhone for payments? It is convenient, but it does not save money for the consumer or for the merchant.
Remember, the merchant has anyhow still to accept the existing payment means.
And just where the hell are you from? Because, like it or not, no matter how many things I set to paperless, I still get mail. Mail from my apartment complex, junk mail, mail from the government… believe me, I wish email had replaced mail. If you think it has, you have a major disconnect between your brain and reality or you live somewhere I’ve never heard of. In which case, mind elaborating?
They did… In 2011
http://en.wikipedia.org/wiki/Google_Wallet
It is insane. It needs to change. Thankfully Apple Pay doesn’t do this.
The issue at hand is simple:
If someone already has your credit card information they may (depending on the bank, some are more stringent than others) be able to use it for fraud in a more convenient manner.
The reason issuing banks call the shots on verification questions is because they know best what is needed to correctly identify an actual customer. Or they were supposed to know. Obviously they didn’t.
Thom, your original assertion isn’t really borne out by the facts. In The Netherlands, debit smartcards do indeed dominate, and have done for a couple of decades. A big part of this was the banks in The Netherlands deciding to set up their own debit-based payment network and pushed that hard onto consumers.
This is not a universal experience. Here in the UK our banks were much slower to start rolling out smartcards, whether they’re credit or debit. Some banks were still issuing dumb cards here less than 10 years ago. We still heavily use credit here – I’d expect the majority of payment transactions are on credit cards – with in-person transactions using chip and PIN.
Another factor here (certainly in the UK) is that consumers are offered better protection for credit card purchases than debit card ones. There’s therefore less incentive to use your debit card, especially for larger purchases.
Had you asserted that developed nations moved beyond simple dumb plastic credit cards years ago you’d have had a decent point.
I think the important point is the distinction between EMV (Chip & PIN) versus the magnetic strip on the back, rather than between credit and debit.
In Europe (including the UK if I recall correctly), liability shifted from bank to retailer in 2005, which precipitated the widescale move to EMV:
http://www.chipandpin.co.uk/business/card_payments/means/shift_liab…
Living in Europe I don’t have much experience with US banking, but my understanding (as mentioned by Nelson earlier) is that the same liability shift won’t happen in the US until 2015:
http://www.mrketplace.com/57196/preparing-for-the-shift-in-credit-c…
Thom can speak for himself of course, but I’m guessing this is what he’s referring to.
Not according to Brian Krebs:
“The irony here is that while Apple Pay has been touted as a more secure alternative to paying with a credit card, the way Apple and the banks have implemented it actually makes card fraud cheaper and easier for fraudsters.”
http://krebsonsecurity.com/2015/03/apple-pay-bridging-online-and-bi…
I follow your general sentiment, but that was a dick way to put it…
And how did that work out for them again?
“There is also no question that card-not-present fraud will spike as more banks in the US issue chipped cards; this same increase in card-not-present fraud has occurred in virtually every country that made the chip card transition, including Australia, Canada, France and the United Kingdom.”
– http://krebsonsecurity.com/2015/03/antidetect-helps-thieves-hide-di…
Wow, THAT was fast! It usually takes at least 5 or 6 posts before the Apple Defense Brigade starts defensively lashing-out.
“Letting a secretive closed company take care of my payments”
Depending on who the payment processor is for a merchant, it could be any number of secretive, closed companies.
Without Apple Pay (or EMV) you’re (at least in the US) sending said companies unencrypted (most times) card information.
Apple is actually completely detached from the CC payment flow.
Now, I don’t know if Apple Pay has any real staying power. It may be a fad. At the moment though there’s a fair amount of excitement in the industry.
Yes, definitely – it’s a huge improvement for the US, which is still using unsecured pieces of plastic anyone can pay with if they find one. Apple Pay is an improvement over that.
However, many developed nations have moved on to secure pin and chip debit cards decades ago, and for those countries, Apple Pay and similar systems offer far less of an advantage. It could be a little bit more convenient, but that’s about it.
It seems a lot of people cannot comprehend the fact that the payment market in country A is entirely different from the one in country B.
EMV is coming here soon, the liability shift later this year will financially incentivize merchants to migrate.
A little late, but I’ll take it.
Well, a watered-down version of it, anyway. The US is mandating Chip+Signature, not Chip+PIN like the rest of the EMV-using world. You’ll have chips in your credit and debit cards, but you’ll still be signing receipts.
I’m looking forward to a phone-based wallet not for any extra security it provides, but as a way to consolidate all the store-based gift and loyalty cards. I don’t carry a wallet; haven’t for a couple of years. Just have my credit, debit, health, and driver’s license cards in my pocket. And a stack of store-based cards sitting in the car that I have to remember to take with me wherever I go. That’s a real hassle.
Started to slim down that stack a bit using the individual stores’ apps on my phone. But would be nice to have a more unified experience for that. And, if it includes my debit/credit card as well, that’s a bonus.
Unfortunately, there’s no Apple Pay or Google Wallet support here in Canada. There’s no generic Interac app either. Rogers (my cell company) has released a SureTap Wallet app … but they’ve locked it down so that it only works on specific SIMs in specific phones running specific versions of Android with specific versions of the app installed … and only if it detects the phone is not rooted.
IOW, basically useless.
In Europe we now have contactless cards that can be used in the exact same way. Even before that, you could still use the card online, as all the details needed to make a payment are right on the card.
See, we were promised that contactless payments are secure and there is nothing to worry about, but when shit hits the fan – you’re on your own. Most transactions are done offline, and that means the terminal is not communicating with your bank in real time. It just assumes the card is valid and that you have the right amount. If not – you and the bank will deal with it one way or another. So, someone can steal a card, make multiple transactions and when they’re processed at the end of the day – the damage (potentially hundreds of Euros) is already done. Like you said, the card is just an unsecured piece of plastic.
And yes I’ve seen that happen.
Theoretically, my country’s laws say I’m not responsible for electronic transactions I have not authorised. So it’s simple, right? I get my money back. Sadly, no. If I go to my bank they’ll send me to Mastercard/Visa to make a claim and wash their hands off. Mastercard will tell me it’s the shop’s responsibility to verify an identity during a payment, so it’s all on them. Of course no shop ever does that. So even if they’re responsible and they are willing to help me, I may now have multiple shops and outlets to deal with. Even if I get my money back eventually, it will take months or even years. No one wants to go through that.
What’s even worse is there’s literally no bank left in my country that will issue a standard chip&pin card without the wireless gimmick. And most of the time you can’t disable it. Some people even cut out the little RFID antenna out, because there’s no other choice. The same people used to scratch the CVV number off the card and memorise it – I used to think it absolutely crazy.
Now compare that to Apple Pay. We all know (hopefully) that fingerprint authentication is not as secure as we once imagined. But in this case, it may just be secure enough. If it holds up for even half day, it may be enough time for me to restrict the card, or wipe the phone remotely, or whatever. Hell, even the 4-digit pin protected phone is more secure than “naked” contactless card.
So please don’t pretend that Apple Pay would not be an improvement over here, because that’s not true. At the very least it could save us a ton of headaches.
You completely miss the point of Apple Pay. The average US consumer is not concerned about the security of their magnetic stripe cards. If there is fraud they are 100% protected by VISA.
The reason Apple Pay has taken off is because it is convenient. The security is a side benefit of marginal importance to consumers. And the convenience is even greater for chip and pin cards because of the PIN annoyance.
100% protected? The hell they are. You’re at the mercy of Visa, or your bank, and if they decide not to believe you did not make said transaction you are shit out of luck. I actually agree with a poster above this (forgot who) that we should move to a push system where by the merchants never see our information at all. That’d cut down on most of it right there, if every transaction had to be authorized by you.
Why are you mentioning debit only? Here in Finland we use secure pin and chip credit cards and combined debit/credit cards. I think this the case also in the rest of the EU.
Edited 2015-03-17 19:55 UTC
Here in Canada, we have “legacy-friendly” pin-and-chip credit cards which are the worst of both worlds.
They can still be made to fall back to the old ways of payment, and the CC companies insist on only offering hybrid “contact+RFID” chips, so security-conscious people end up snapping the chip.
(Made more likely by how, when Mythbusters wanted to test RFID, the CC companies called back with lawyers on the line.)
I only use mine for online payments where PayPal is unsupported (or their non-overridable, overly sensitive fraud-detection system was tripped by a GOG.com insomnia sale) and use my chip+pin debit card for in-person payments.
Edited 2015-03-17 21:32 UTC
Apple pay might be a good or might be a bad thing.
Yet…
I don’t see it as a better alternative, as we allready have two type of technology established firmley in Denmark. Swipp and Mobile-pay.
Swipp is widespread, and even the Danish banks are advertising about everyone getting it.
And yes. It’s more secure than apple-pay.
Second, we have homebanking, wich we can use directly in our browsers on any type of smartphone platform.
That being: Windows phone, Iphone and Android.
And it’s backed up by a password plus a code-card, from wich we can use a specific code one time.
Basically it asks for something like Code-2452 and we write the code, wich are 6 random numbers at that code-2452.
And third….
When we use homebanking, the money is transfered at once, if the transfer was requested before 4 or 5 PM.
Taking all that in account.
Apple-pay have absolutely NO chance at getting a foothold in Denmark. And the banking systems are really strict in Denmark. It’s just too slobby regarding sequrity, that it would be illegal to have that exact system running here.
Uhhh!!! And one more thing (yes everybody can be a Jobs, LOL)
Shops are even now allowing you to pay, using eighter swipp or mobile-pay. Yes… Even when you are selling or buying things online, privately, people are asking if I have eighter mobile-pay or swipp.
Nope… Apple simply do not have a chance. They are totally 2 to 3 years behind everyday technology here in denmark, at this point in time.
It is like…
Apple: We have this amazing new thing, were you now, magically can pay using you’r iPhone
The Danish random person: You are a bit late… 4 or 5 years maby. Can I use it on my HTC-One or Lumia 630 then?
Apple: No of course not. It’s from Apple.
The Danish random person: !!!!??? Uhmmm…. No thanks then.
Edited 2015-03-17 13:09 UTC
So Apple Pay is bad. OK.
The default alternative is constantly handling over your entire card details, including the PIN number, to complete strangers in innumerable different transactions. That doesn’t seem so great.
My debit card was cloned once because on a long road trip around the UK in one of the many petrol stations I had used some desk clerk had simply copied my card details, PIN and all, as I paid.
Thats how most fraud happens. There is a going rate for selling batches of harvested card data and many, often temporary and low paid, retail workers are offered good money and the necessary kit for mass copying of card details during transactions.
Apple Pay seems inherently more secure than Chip and PIN transactions because you don’t actually pass all your card details to the retailer, the latter is most often the weak link in the chain of security.
BTW re other comments about credit cards versus debits cards in the USA, I have driven tens of thousands of miles on various US road trips and found I could use my UK debit for about 95% of all transactions.
Strawman. Nobody is arguing Apple Pay is bad. As always, Tony, you’re putting words in people’s mouths just so you can thump Apple some more.
It’s sad.
Uhm, with chip and pin the retailer does not get that information either.
Edited 2015-03-17 16:42 UTC
You keep saying that (you said it in past discussions about Apple Pay) but I do not think it is true based on my understanding of CnP…
Is there any situation, ever, where you enter your PIN number using a merchants terminal? Any at all.
Because when you do that you are potentially giving the merchant your PIN number.
I understand there are exceptions for small transactions and what not (that don’t require PIN entry). But that isn’t all transactions.
Apple Pay does not ever require you to enter your PIN on any terminal under any circumstances.
Im not saying CnP isn’t a secure system. Im saying it doesn’t go to the same lengths to secure your PIN as Apple Pay does…
Edited 2015-03-17 17:55 UTC
Exactly. Most common cause of fraud in chip and pin systems is terminals that log pins and card details. Obviously putting your information into a third party terminal is a big security weakness.
Yes they do which is exactly how my card was cloned.
You hand your card to someone behind a desk at a petrol station, for example, they insert your card and type in their authorisation code, they hand you back the card reader and you type in your PIN number. At no time can I be sure that the kit that is being used or the guy carrying out the transaction are legit.
When my card was cloned I had a long chat with the security guy from the bank and he said two common methods used were that card readers were interfered with (obviously with the collusion of the assistant) to capture your data, and/or cameras were installed (again with the collusion of the assistant) to photograph your card and you entering your PIN.
The point is that a transaction using Chip and PIN means presenting your actual card with all its details and entering your PIN in circumstances you cannot fully control. Apple Pay does not use your actual card number or a PIN at any point in the transaction. Your card number is simply not used so there is nothing that can be cloned.
Edited 2015-03-17 19:17 UTC
lolwut?
That’s not how it works at all here. Here in The Netherlands, the terminal is user-facing. YOU slide the card into the machine, YOU type in your PIN, YOU take the card out. At no point does the retailer even see your card – let alone handle it. Nobody will EVER ask you for your card. Ever. Not even your bank.
Nobody but you touches or sees your card here in The Netherlands. As for the equipment – that can definitely be an issue, but secretly replacing a terminal is much, much, much harder than this specific Apple Pay fraud, which appears to be dead easy to accomplish.
And it’s easy to accomplish because Apple Pay is built upon an inherently insecure, dated, and silly system: the credit card.
Edited 2015-03-17 19:38 UTC
Its not your machine. How do you have any confidence at all that it is not compromised? Do you realize how easily those things can be hacked. Tony only gave a few examples. Hackers can:
1. Install separate hardware on it to record key presses. This doesn’t even require hacking the machine itself, it is a physical modification of the keypad.
2. Install custom firmware on the machine to modify how it works. See this:
http://money.cnn.com/2014/08/08/technology/security/hack-credit-car…
That hack can be done without the vendor even knowing their machine was compromised…
Again, I actually agree with your overall point, that CnP, on the whole, is just as secure as Apple Pay in its current form. But don’t overstate your case – CnP has problems too.
…in the US. It will most certainly use native EMV when it is rolled out in Europe. At that point your argument will fall apart. It actually will be more secure than CnP, at least when it comes to PIN handling. But of course then isn’t now…
Thom_Holwerda,
Here here!
Everything we get is just a hack upon hacks, including the legacy EMV magstrip emulation modes used by apple pay. Almost everyone can agree that new standards for modern tech without legacy constraints would be better, but now that these legacy systems are in place there is a tremendous resistance to change. The companies that might carry weight in promoting new standards are more interested in re-branding existing technology (aka apple pay) or proprietary systems (aka paypal).
It’s no secret that Chip&PIN is an improvement, but I have to wonder if more modern & open payment systems would have better opportunities to prosper in third world countries that haven’t yet bought into the system. Bah, who am I kidding? The credit cartels probably start the press as soon a country can harvest fire by rubbing two sticks together “Congrats! You’ve been pre-qualified!”
Edited 2015-03-17 20:47 UTC
Same here in Canada. Of course you miss the obvious flaw in that the terminal is not your machine and you can’t trust it. Lots of examples of counterfeit machines being installed.
Actually it has nothing at all to do with that and you have no idea what you’re talking about. It’s the lack of rigor in the authorization process from the banks (influenced by Apple). Credit debit has no influence on that.
They’re doing it wrong. The store should never touch your card. They hand you the reader, you insert your own card, you enter the PIN, wait for the transaction to complete, remove your card, and hand the reader back.
Most places also have the reader physically bolted to the counter so it can’t be tampered with. Or attached to a metal cable for the same reason.
If you are shopping at places that do otherwise, then it’s user-error if your card gets cloned. Don’t use your card at places with poor physical security on the card readers.
Which is no different from using a contactless debit/credit card where you can hide the numbers under your hand, and no PIN is entered anywhere. Contactless debit and credit cards have been out for over a decade now. Apple Pay is no different from that.
No, nobody knows your PIN number. Not even your bank. In the Netherlands, there are a lot of advertises on TV sponsored by the government that warn against “bank cooperators” that ask for your PIN code via mail or phone, because they are always scammers because your bank will never ask for your PIN code.
Actually I think the OP is saying, you type the pin number in front of the retailer, in *their* device when you make a payment. People steal those pins by watching, or by having the terminal intercept while you type (i.e., a hacked terminal).
Of course the system is better than magnetic strip, no argument.
But.. the better system from *just* this aspect is a device you control, that transmits a one-time-use-only number to the merchant, who send that to the bank or payment authority, who then authorizes payment back to the merchant.
Which is what Apple Pay does. The fraud vector is not at the POS in apple pay. It’s before that.
If you had to use a chip-and-pin card to enter it into apple pay for instance, that would be much better. Or you had to go to your bank, or you bank had to validate the entry into your phone. etc etc etc.
Which is the same way that contactless credit and debit cards have been doing for over a decade now. Apple Pay is just a different way of doing something we (as in all the non-US parts of the world) have been doing for a long time now.
At what point in a contactless CnP transaction do you unlock your card so that it can be used?
Im sorry, but it is definitely not the same thing…
Many in Europe might not realize this, but the problems for US banking goes beyond just false transactions, it also can mean false denials and security calls. The lack of CC security implies a general lack of confidence on the bank’s part that transactions are authentic. So without good crypto the banks are left using only metadata/heuristics to sort out which transactions to approve.
For example: On a road trip to my parents last summer (one that we make regularly), HSBC denied my legitimate transactions at a restaurant and gas station, my being away from home generated a false positive in HSBC’s fraud detection algorithm. Sometimes even at home we’ll trip a fraud alert and get security calls verifying the last 5 or so transactions.
Recently my parents tried to use my newegg account to buy a new computer, but it was declined using their credit card. Arguably the bank’s heuristics may have “worked as designed” in that case, but it was a legitimate transaction that got denied, and I had to use my card to pay for their computer.
Even when I needed money at an ATM (one I had never gone to before), they declined the card AND locked my account for the whole weekend. I called them and pleaded with them to unlock the account, but they refused saying nothing could be done until monday, resulting in my rent being late. The banks can & do lock us out of our own money. To be safe, US consumers must anticipate false fraud with extra cards and/or cash, or at least don’t do anything to anger the heuristics!
I’ve switched banks BTW. But at this point I’d take anything over what we’re doing in the US. Apple did it’s best to develop Apple Pay in a way that is compatible with legacy US banking infrastructure. I’m sure behind closed doors, apple’s own engineers are cursing the stupidity of these systems (it’s not really their fault US banking sucks). ChipNPin is coming to US, which will be better for physical transactions, but it doesn’t do enough for card-not-present fraud. And no, I don’t want my bank to provide an app or authorize which apps I can use, it needs to be an open standard that runs everywhere.
Sometimes I get smug and think I could single-handedly build more robust banking systems with PKI and universal standards. But then it’s never really been computer scientists making the calls.
Edited 2015-03-17 15:56 UTC
The remote/online payment case shouldn’t be too hard in theory; just run the authentication handshake over the internet instead of NFC — your phone or web browser should be just as able to present an authentication interface for this case.
brion,
That’s true. And in theory I think this is what the makers of “3d-secure” were trying to do.
https://en.wikipedia.org/wiki/3-D_Secure
But besides being confusing, as implemented it’s extremely susceptible to impersonation. Partly because the merchant initiates the process, and also party because legitimate banks themselves use confusing redirections and domain naming schemes.
I wish we would get away from the notion of merchants taking our information to pull funds out of our accounts. This is a relic of the legacy days when merchants would take an imprint of our plastic cards and use that to withdraw funds from our accounts.
Just imagine we used cash the same way as plastic. You’d hand the merchant your wallet, they’d pick through it, take some bills out, and then hand it back to you. The whole thing is weird and these days the internet makes it all unnecessary.
Instead payments could be accomplished by “push”, the merchant would provide a standardized transaction&routing number, which I could type, copy&paste (or even snap a picture of with my phone, use your imagination here), I give that to my bank (the method would be between me and my bank, not the merchant) and tell them to pay it. The bank would initiate the transfer to the merchant and the transaction could be approved. This model makes a lot more sense for internet transactions.
Assuming the internet is available, a “push” model could work for instore transactions too. Snap a picture of a bill and send it to the bank to pay it in real time, etc. I’m confident this would be standard stuff by now if banks were run by computer scientists
Edit: Let’s not forget, the whole facade which is PCI would go the way of the dinosaur. Since the merchant would not posses the means of originating customer transactions, it would curtail practically all the fraud that stems from compromised merchant computers.
Edited 2015-03-17 18:18 UTC
If we’re swapping US banking horror stories, I’ve got a couple good ones. Both with Chase bank. First off, a couple years back my card was used somehow to make a fraudulent transaction for $400. I actually got that one reversed fairly easily, but the killer is this. I did get a fraud call on that day confirming the last 3 transactions. Beauty of it is, all 3 of those I was asked to confirm were legitimate transactions I had made, including one bill I pay as regular as clockwork on that given date. The fraudulent transaction (the fifth one back) slipped right through their detection. If I hadn’t been as careful with my bank account as I am, I’d have never noticed it until it was too late.
Second, I travelled frequently back and forth to Canada a little while back. I went through the process of getting my card cleared for use abroad, and all was well… but they forgot to tell me that said travel unlock would only last a month. So my card locks up randomly for no reason because it was used in Canada. Of course it was used in Canada… because I was there. At any rate they refused to unlock my card until I could go in and show them proof of identification, and go through each and every transaction indicating I had authorized it. Talk about a pain in the ass, especially since I wasn’t slated to leave Canada for another week.
Now, I don’t think Apple Pay would have helped the first time. That was purely someone getting hold of my card number and using it online. However, I do think that if Apple Pay were to have been around then, and in both Canada and the US, I would have been spared the second one which was by far the more irritating.
As long as all it requires to make a transaction is a small list of numbers and a name, there’s going to be credit/debit card fraud.
For the love of everything, US banks need to replace the card system with one where you have to authenticate the transaction online.
Apple Pay seems cute from a usability perspective, but by basing itself on the insecure pile of crap that is the US credit/debit card system it remains vulnerable at the weakest link.
But, our banks have little incentive to make a secure system when they can make so much money off encouraging people to debt-spend on their credit cards…
Apple Pay uses EMV contactless standards and emulates track data with a format preserving token. Meaning it can fit in any database already expecting card data to be of a certain length. There is nothing insecure about it.
In actuality, using Apple Pay drastically reduces this attack surface. Someone install a memory scanner on your POS system? You’re covered.
Database compromised and cardholder info leaked? (Because face it, PCI is a joke in their requirements for storing at-rest cardholder data).
Everyone else is fucked due to the limited keyspace on CC information, you on the other hand are covered.
And none of this is specific to Apple Pay. It is just a secure and convenient solution.
Meanwhile my card is still compromised from using it online somewhere else and having that database stolen. My money’s just as insecure as it always was…
The linked NYTimes article explains the issue in perhaps the most needlessly over-complicated way possible, and still manages to miss the actual meat of the problem.
The simple takeaway should be: Apple pay makes things substantially easier to commit credit card theft/fraud. Before Apple pay, committing CC fraud at a physical retailer meant you needed to clone the card, which means you needed data extracted from the physical card (via skimming, hacked POSes, etc).
But now, thieves can commit CC fraud at physical retailers without needing a physical dump of the card data – thanks to Apple Pay, that’s now possible with just the CVV info (which is much easier to obtain, since it can be stolen from online retailers).
http://krebsonsecurity.com/2015/03/apple-pay-bridging-online-and-bi…
I guess that, technically, Apple and their cheerleaders were correct about Apple Pay making people’s lives easier. They just forgot to mention that it was thieves and other criminals whose lives would be made easier.
that your bank/credit card company does an adequate job of authenticating you and your card at onset, and also does an adequate job of contacting you as soon as it sees any charges that are questionable (mine does and did), then Apple Pay is a very useful and secure method of making card-not-present purchases…..the best solution I have encountered so far in the States; and this is based on real life recent personal experience with use of the card I utilize.