All hail the Apple Pay system
One of the best features of the new iPhone is the Apple Pay system. It allows iPhone 6 users to take a picture of their credit cards, verify the numbers, and add them in to their Passbook so they can use these cards at a later time.
This is also supposed to allow the user to pay without ever providing the business with their credit card number. But, they seem to have forgotten that not every one will use this feature as intended. Some people may scan a credit card and begin to use it without the cardholder’s permission.
Consumer Reports (CR) actually gave this potential problem a test drive. Glen Derene, from CR, scanned and verified a few credit cards that were in his name and then proceeded to add two of his CR co-worker’s cards (presumably with their knowledge).
It looked like it was going to work, at first, but when prompted to verify by email, text, or a customer service call, using it would be difficult. This two-step verification system would require access to the cardholder’s email, phone, or the ability to answer security questions with customer service.
However, if you think about this in terms of theft, it becomes a bit worrisome.
Why this is so worrisome
Say you leave you purse at a restaurant and do not realize you have left it until you are almost home; if someone were to take it, they would more than likely have access to your phone and your credit cards. Theoretically, someone could add and verify your cards, since they likely have your phone from your purse. If you enable the passcode feature on your phone, this would of course, slow any thieves down a bit, but it is still a bit worrisome.
According to CR, Apple Pay works by a process known as credit/debit card provisioning. “You aim the camera of an iPhone 6, 6 Plus, or one of the new iPads at a credit card and the device reads the card number, customer name, and expiration date off the face of the card, then encrypts that data and sends it to Apple’s servers.
Apple then displays any terms and conditions to which the card-issuing bank needs the customer to agree. Once those terms and conditions are agreed to by the end user, the Apple Pay servers send information from the device (which can include the last four digits of the phone number and location information) and info from the user’s iTunes account to the bank for verification.
No additional verification needed
When Derene attempted to add his wife’s card, it was added with no additional verification necessary. She knew he was attempting to use it, but he was not an authorized user on the account.
Derene stated, “that was unexpected, since it is my wife’s private card, and she has never authorized me as a user. Also, that card isn’t associated with our family iTunes account. In fact, I have no current financial relationship with Citibank at all,” and yet he was allowed to fully use her credentials as if he had the actual card in his hand, making several purchases.
Derene did reach out to Citibank to ensure this was not just an unfortunate glitch, and was told sine he had all the vital information, including the same verified address, the system assumed he was authorized. He also reached out to other financial entities involved with Apple Pay, and no one really wanted to provide much detail about how provisioning works. Not too comforting considering the amount of damage that could be done, should your credit card information fall into the wrong hands.
In defense of Apple Pay
In defense of Apple Pay, there have been instances were credit card information has been stolen through air waves, as well as, several cases of major corporations’ data files being hacked.
Basically, your credit card information has the potential to be stolen any time you use it, but if you use Apple Pay, you may want to take a few extra steps to ensure it stays a little bit more secure: enable a pass code, make sure your credit card fraud alerts are enabled so you know if your card has been used, and regularly check your statements to ensure all purchases were made by yourself or an authorized user.
But, they do need to mandate a two-step verification regardless of whether or not your possess all the “correct” information.
wonderYrednow
October 26, 2014 at 11:14 pm
Or maybe using the fingerprint pass code on the iPhone 6 would slow down potential thieves.
Of course, if you cut off your finger and left it in your purse….well, that would speed things up for the thieves.
jmmx
October 26, 2014 at 11:17 pm
Interesting article with some good points.
I do have some issues with this:
“Say you leave you purse at a restaurant and do not realize you have left it until you are almost home; if someone were to take it, they would more than likely have access to your phone and your credit cards. Theoretically, someone could add and verify your cards, since they likely have your phone from your purse.”
First – if you lose your cards than you have problems Apple Pay or not.
More importantly, Apple Pay usually works with Touch ID. TID requires you to have a passcode. Assuming your their does not know your passcode then he is locked out of your phone.
If you get all the way home before realizing you lost your purse, the first thing to so would be to get on your computer, and use Find mi iPhone to deactivate it, then call the credit card companies to notify them.
If you lose your physical cards to thieves, you will always have problems. If you did not have your cards with you because you knew you had your iPhone, will that certainly would be better.
Michael Long
October 27, 2014 at 9:54 pm
“More importantly, Apple Pay usually works with Touch ID. TID requires you to have a passcode. Assuming your their does not know your passcode then he is locked out of your phone.”
It doesn’t usually work with Touch ID, it requires it. You can’t use Apple Pay on a device without a passcode set and Touch ID enabled. Disable Touch ID and/or the passcode, and you lose the ability for the system to access the encrypted token in the Secure Enclave.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 2:26 pm
I’ll stick with Apple Pay for secure transactions. The above scenarios are associated with physical card theft. Apple Pay or not, If someone gets ahold of you card, you are screwed. There is bandwagon effect in play to shoot holes in Apple’s security measures. Apple has taken an existing standard and made it better.
Sour grapes will always bring forward dubious criticism. You will see arrows flying from the supporters of Merchant Customer Exchange (MCX). MCX has actual security flaw as opposed to the circuitous flaws leveled against Apple Pay.
rolandestrada
October 27, 2014 at 4:29 pm
The final answer is very secure.
Michael Long
October 27, 2014 at 9:51 pm
This has to be the stupidest article I’ve ever seen. If a woman leaves her purse behind with a bunch of credit cards in it… SHE’S ALREADY LOST THE CARDS!
Further, you just need to jot down the numbers to steal them. The phone’s not needed at all.
But since you seem to think that they’re equally insecure, let’s try this. We both go to a seedy bar. You leave your wallet with credit cards behind, and I’ll leave my Apple Pay-enabled Touch ID protected iPhone behind.
We then wait to see whose card numbers get stolen first, and whose appear second (if at all).
Alfiejr
October 28, 2014 at 4:07 am
anyone that doesn’t have Passcode turned on is an idiot begging to be ripped off. not to mention TouchID makes Passcode drop dead easy to use and airtight (don’t insult us with James Bond latex finger mold scenarios – damn few of us are international spies) for Apple Pay devices.
the CR guy got his wife’s card to work because the accounts’ address was the same. so Citibank was sloppy – drop them. but i got separate email notices for each credit card i scanned in – all my own. Chase was not sloppy – use them.
rolandestrada
October 28, 2014 at 4:15 pm
Research is critical when writing articles like these. It’s easy to get clicks with inflammatory headlines. But when the facts fall down in the main article trouble ensues. Take a look at the flack of over CurrentC’s 2015 rollout of its’s payment system. CurrentC is the reason behind CVS and other merchants banning Apple Pay and Google Wallet as forms of payment. Even though some of these merchants have had NFC payments enabled for some time.
These merchants have banned NFC not because it is inherently insecure but because they have contractual obligations with CurrentC.
There are two good articles on this subject – John Gruber at Daring Fireball and Josh Costine at Tech Crunch. It’s a follow the money scenario.
rolandestrada
October 28, 2014 at 5:46 pm
If you have doubts about Apple Pay security versus CurrentC, go take a read of Nick Arnott’s post on iMore. CurrentC as a story is exploding all over the net. Will it cause CurrentC to implode before it actually launches? One can only hope. Take a look at the one star reviews of CurrentC on the iTunes app store. Hilarious!!.