All hail the Apple Pay system
One of the best features of the new iPhone is the Apple Pay system. It allows iPhone 6 users to take a picture of their credit cards, verify the numbers, and add them in to their Passbook so they can use these cards at a later time.
This is also supposed to allow the user to pay without ever providing the business with their credit card number. But, they seem to have forgotten that not every one will use this feature as intended. Some people may scan a credit card and begin to use it without the cardholder’s permission.
Consumer Reports (CR) actually gave this potential problem a test drive. Glen Derene, from CR, scanned and verified a few credit cards that were in his name and then proceeded to add two of his CR co-worker’s cards (presumably with their knowledge).
It looked like it was going to work, at first, but when prompted to verify by email, text, or a customer service call, using it would be difficult. This two-step verification system would require access to the cardholder’s email, phone, or the ability to answer security questions with customer service.
However, if you think about this in terms of theft, it becomes a bit worrisome.
Why this is so worrisome
Say you leave you purse at a restaurant and do not realize you have left it until you are almost home; if someone were to take it, they would more than likely have access to your phone and your credit cards. Theoretically, someone could add and verify your cards, since they likely have your phone from your purse. If you enable the passcode feature on your phone, this would of course, slow any thieves down a bit, but it is still a bit worrisome.
According to CR, Apple Pay works by a process known as credit/debit card provisioning. “You aim the camera of an iPhone 6, 6 Plus, or one of the new iPads at a credit card and the device reads the card number, customer name, and expiration date off the face of the card, then encrypts that data and sends it to Apple’s servers.
Apple then displays any terms and conditions to which the card-issuing bank needs the customer to agree. Once those terms and conditions are agreed to by the end user, the Apple Pay servers send information from the device (which can include the last four digits of the phone number and location information) and info from the user’s iTunes account to the bank for verification.
No additional verification needed
When Derene attempted to add his wife’s card, it was added with no additional verification necessary. She knew he was attempting to use it, but he was not an authorized user on the account.
Derene stated, “that was unexpected, since it is my wife’s private card, and she has never authorized me as a user. Also, that card isn’t associated with our family iTunes account. In fact, I have no current financial relationship with Citibank at all,” and yet he was allowed to fully use her credentials as if he had the actual card in his hand, making several purchases.
Derene did reach out to Citibank to ensure this was not just an unfortunate glitch, and was told sine he had all the vital information, including the same verified address, the system assumed he was authorized. He also reached out to other financial entities involved with Apple Pay, and no one really wanted to provide much detail about how provisioning works. Not too comforting considering the amount of damage that could be done, should your credit card information fall into the wrong hands.
In defense of Apple Pay
In defense of Apple Pay, there have been instances were credit card information has been stolen through air waves, as well as, several cases of major corporations’ data files being hacked.
Basically, your credit card information has the potential to be stolen any time you use it, but if you use Apple Pay, you may want to take a few extra steps to ensure it stays a little bit more secure: enable a pass code, make sure your credit card fraud alerts are enabled so you know if your card has been used, and regularly check your statements to ensure all purchases were made by yourself or an authorized user.
But, they do need to mandate a two-step verification regardless of whether or not your possess all the “correct” information.