I expected some issues with Apple Pay along these lines. It's the weak link. I'm sure this is one of the reasons why it was a U.S. only launch at first. Get these type of things nailed down before launching in other countries. It's a minor issue that could have become a major issue if Apple Pay was World Wide.
Glad to see it doesn't seem to be anything on Apple's end. It's the banks that really need to figure out what works best.
There is something that worries me about Apple Pay.
If someone sees you enter your Apple ID password when you're writing a review on the App Store, for instance, and then steal your Apple Pay-enabled iPhone, they could then go on a spending spree. Why? Because, when you use Apple Pay, if you get your fingerprint wrong three times, it defaults to password. Your iPhone then becomes a point of great insecurity, more so than if you didn't have Apple Pay set up.
I haven't used Apple Pay, so correct me if I'm wrong. Maybe if your fingerprint is rejected, you simply can't pay for stuff, but my understanding is that you can use the password as a backup.
Your AppleID password is not the same as your phone unlock password is it?
I thought you didn't need to unlock your iPhone to use Apple Pay. So if you have the Apple ID, you have Apple Pay, no?
If you use TouchID then you don't, but if you are going to enter an AppleID, how would you do that without first unlocking the device?
Sorry, I meant the phone unlock password, not your Apple ID password.
Okay, that makes sense. So if your fingerprint fails, you have to enter your phone unlock password, right? In which case, that does seem more secure, as you're unlikely to enter that password very often unless you restart your iPhone. It is still potentially somewhat risky, as if a thief got that password, they could wreak havoc.
I expected some issues with Apple Pay along these lines. It's the weak link. I'm sure this is one of the reasons why it was a U.S. only launch at first. Get these type of things nailed down before launching in other countries. It's a minor issue that could have become a major issue if Apple Pay was World Wide.
Glad to see it doesn't seem to be anything on Apple's end. It's the banks that really need to figure out what works best.
Apple could have "nailed it down" by forcing banks to require card authentication, but I'm glad they didn't. In the long run it's best that the control is out of Apple's hands and in the hands of the banks and the customers that use those banks.
There is something that worries me about Apple Pay.
If someone sees you enter your Apple ID password when you're writing a review on the App Store, for instance, and then steal your Apple Pay-enabled iPhone, they could then go on a spending spree. Why? Because, when you use Apple Pay, if you get your fingerprint wrong three times, it defaults to password. Your iPhone then becomes a point of great insecurity, more so than if you didn't have Apple Pay set up.
I haven't used Apple Pay, so correct me if I'm wrong. Maybe if your fingerprint is rejected, you simply can't pay for stuff, but my understanding is that you can use the password as a backup.
Your AppleID password is not the same as your phone unlock password is it?
I thought you didn't need to unlock your iPhone to use Apple Pay. So if you have the Apple ID, you have Apple Pay, no?
If you use TouchID then you don't, but if you are going to enter an AppleID, how would you do that without first unlocking the device?
Sorry, I meant the phone unlock password, not your Apple ID password.
Okay, that makes sense. So if your fingerprint fails, you have to enter your phone unlock password, right? In which case, that does seem more secure, as you're unlikely to enter that password very often unless you restart your iPhone. It is still potentially somewhat risky, as if a thief got that password, they could wreak havoc.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
There is something that worries me about Apple Pay.
If someone sees you enter your Apple ID password when you're writing a review on the App Store, for instance, and then steal your Apple Pay-enabled iPhone, they could then go on a spending spree. Why? Because, when you use Apple Pay, if you get your fingerprint wrong three times, it defaults to password. Your iPhone then becomes a point of great insecurity, more so than if you didn't have Apple Pay set up.
I haven't used Apple Pay, so correct me if I'm wrong. Maybe if your fingerprint is rejected, you simply can't pay for stuff, but my understanding is that you can use the password as a backup.
Your AppleID password is not the same as your phone unlock password is it?
I thought you didn't need to unlock your iPhone to use Apple Pay. So if you have the Apple ID, you have Apple Pay, no?
If you use TouchID then you don't, but if you are going to enter an AppleID, how would you do that without first unlocking the device?
Sorry, I meant the phone unlock password, not your Apple ID password.
Okay, that makes sense. So if your fingerprint fails, you have to enter your phone unlock password, right? In which case, that does seem more secure, as you're unlikely to enter that password very often unless you restart your iPhone. It is still potentially somewhat risky, as if a thief got that password, they could wreak havoc.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
Sure. In the end, it comes down to that passcode, though, unless it doesn't. Guess I’ll find out in 2016, unless I get to use Apple Pay on my iPad first.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
That's exactly it. Since your PIN/passcode is always the better the security than any biometric from the system's standpoint (exact v. close enough), the PIN/passcode is always there as an option.
Now, for those that have Touch ID on their devices and care about security I suggest they go into Settings » Touch ID & Passcode » Passcode to disable Simple Passcode. Since you only do this sparingly using a complex passcode that can utilize every letter, number and symbol available to you on an the virtual keyboard improves your security over a simple 4-digt PIN with 10,000 permutations. Not that 10,000 is easy to guess, but the larger number pad and a limitation of 4 numbers makes it easier to figure out if someone is watching from a distance.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
That's exactly it. Since your PIN/passcode is always the better the security than any biometric from the system's standpoint (exact v. close enough), the PIN/passcode is always there as an option.
Now, for those that have Touch ID on their devices and care about security I suggest they go into Settings » Touch ID & Passcode » Passcode to disable Simple Passcode. Since you only do this sparingly using a complex passcode that can utilize every letter, number and symbol available to you on an the virtual keyboard improves your security over a simple 4-digt PIN with 10,000 permutations. Not that 10,000 is easy to guess, but the larger number pad and a limitation of 4 numbers makes it easier to figure out if someone is watching from a distance.
Just be happy that you don't have to use a complex passcode on a non-TouchID phone. That requirement was recently implemented via the security profile on my business iPhone 5, and is an unbelievable pain in the ass - virtually unusable. Numbers, letters and special characters. Needless to say I immediately requested a 6.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
That's exactly it. Since your PIN/passcode is always the better the security than any biometric from the system's standpoint (exact v. close enough), the PIN/passcode is always there as an option.
Now, for those that have Touch ID on their devices and care about security I suggest they go into Settings » Touch ID & Passcode » Passcode to disable Simple Passcode. Since you only do this sparingly using a complex passcode that can utilize every letter, number and symbol available to you on an the virtual keyboard improves your security over a simple 4-digt PIN with 10,000 permutations. Not that 10,000 is easy to guess, but the larger number pad and a limitation of 4 numbers makes it easier to figure out if someone is watching from a distance.
It does strike me that there should be an option to disable Apple Pay completely if the fingerprint fails three times, rather than allowing the fallback to a passcode. That way, your iPhone doesn't become vulnerable in the event of it being stolen. You could simply be required to restart your iPhone and re-enter both your unlock passcode and your AppleID password.
Cumbersome in the event of a fingerprint failure, perhaps, but ultimately more secure.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
That's exactly it. Since your PIN/passcode is always the better the security than any biometric from the system's standpoint (exact v. close enough), the PIN/passcode is always there as an option.
Now, for those that have Touch ID on their devices and care about security I suggest they go into Settings » Touch ID & Passcode » Passcode to disable Simple Passcode. Since you only do this sparingly using a complex passcode that can utilize every letter, number and symbol available to you on an the virtual keyboard improves your security over a simple 4-digt PIN with 10,000 permutations. Not that 10,000 is easy to guess, but the larger number pad and a limitation of 4 numbers makes it easier to figure out if someone is watching from a distance.
It does strike me that there should be an option to disable Apple Pay completely if the fingerprint fails three times, rather than allowing the fallback to a passcode. That way, your iPhone doesn't become vulnerable in the event of it being stolen. You could simply be required to restart your iPhone and re-enter both your unlock passcode and your AppleID password.
Cumbersome in the event of a fingerprint failure, perhaps, but ultimately more secure.
What's required to register a new fingerprint? Just the phone passcode, or something more?
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
That's exactly it. Since your PIN/passcode is always the better the security than any biometric from the system's standpoint (exact v. close enough), the PIN/passcode is always there as an option.
Now, for those that have Touch ID on their devices and care about security I suggest they go into Settings » Touch ID
It does strike me that there should be an option to disable Apple Pay completely if the fingerprint fails three times, rather than allowing the fallback to a passcode. That way, your iPhone doesn't become vulnerable in the event of it being stolen. You could simply be required to restart your iPhone and re-enter both your unlock passcode and your AppleID password.
Cumbersome in the event of a fingerprint failure, perhaps, but ultimately more secure.
What's required to register a new fingerprint? Just the phone passcode, or something more?
Just the phone passcode. They should make it your Apple ID as well.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
That's exactly it. Since your PIN/passcode is always the better the security than any biometric from the system's standpoint (exact v. close enough), the PIN/passcode is always there as an option.
Now, for those that have Touch ID on their devices and care about security I suggest they go into Settings » Touch ID
It does strike me that there should be an option to disable Apple Pay completely if the fingerprint fails three times, rather than allowing the fallback to a passcode. That way, your iPhone doesn't become vulnerable in the event of it being stolen. You could simply be required to restart your iPhone and re-enter both your unlock passcode and your AppleID password.
Cumbersome in the event of a fingerprint failure, perhaps, but ultimately more secure.
What's required to register a new fingerprint? Just the phone passcode, or something more?
Just the phone passcode. They should make it your Apple ID as well.
Well in that case, if a thief gets your phone and knows the (hopefully complex) passcode (very bad opsec if that happens, of course) then at a minimum he can register a new fingerprint and use ApplePay via TouchID.
Sorry, I meant the phone unlock password, not your Apple ID password.
Okay, that makes sense. So if your fingerprint fails, you have to enter your phone unlock password, right? In which case, that does seem more secure, as you're unlikely to enter that password very often unless you restart your iPhone. It is still potentially somewhat risky, as if a thief got that password, they could wreak havoc.
Thats why i use a longer password so is harder for people to see. But if it does happen i would sujest borrowing an iphone as quick as possible and put your iphone in lost mode ASAP!
It does strike me that there should be an option to disable Apple Pay completely if the fingerprint fails three times, rather than allowing the fallback to a passcode. That way, your iPhone doesn't become vulnerable in the event of it being stolen. You could simply be required to restart your iPhone and re-enter both your unlock passcode and your AppleID password.
Cumbersome in the event of a fingerprint failure, perhaps, but ultimately more secure.
Anecdote: When Apple first introduced the iPhone Enterprise Tool (not sue of exact name) I used it to create a complex passcode. It was a pain in the ass to do a hundred+ times per day.
The original option would force the QWERTY keyboard to appear, even if you did something like add or reduce the number of digits from 4. On the one hand the alphanumic keyboard does add additional security for a PIN, on the other it's annoying to use. Now if you have only digits the number pad will be selected for you, and, of course, it's built-into iOS wothout using a kludge.
Visa just announced a service they will be offering people a higher level of security who do not have ApplePay. ... Also if you do an online order it has be done within in a certain range of the phone's home location
Well that makes life difficult, although I guess it depends upon the size of the "certain range".
If I buy stuff at home it's not done using my phone. If I buy anything using my phone then it'll always be away from home.
But chip+sig is a lot better than swipe cards because cloning isn't possible.
Is it impossible, or just considerably more difficult?
My understanding, which could be imperfect, is that certain parts of the chip are write-only and can't be read. So the issuing bank sets certain info into specific parts of the chip. A terminal (reader device) can request certain functions to be performed against the "secret stuff" written into the chip, but that can't be retrieved and cloned onto a new chip. Other parts of the chip can be read and written -- a PIN code can be changed, for example, on a chip+PIN card.
Digressing for a moment back to AP - when you register a card you specify the number printed on the card (Primary Account Number - PAN) and verify your identity, and the issuer (Visa etc) gives you (i.e. your iPhone) a DIFFERENT number, the Device Access Number (DAN). This looks for all the world like a standard credit card (PAN) number, e.g if it's Visa then it's sixteen digits, starts with "4", etc, etc. But Visa knows that it is NOT a PAN and therefore can't be used as one. Any transactions using this DAN must have the accompanying crypto signature in order to be accepted. This PAN - DAN stuff is the essence of "tokenization" as established by the credit card issuers group (EuroPay/MasterCard/Visa - EMV) and implemented by Apple within Apple Pay.
We know that existing chip cards do NOT use tokenization - it's newer than the chip cards. Updated versions almost certainly will but that's in the future. So the current generation of chip cards uses the PAN, but with a chip-handshake between the card and the bank.
Chip-capable terminals (readers) include the ability to read old-style swipe cards. And new chip cards also include the old-style stripe so they can be used on old-style readers (not chip-capable). But if you swipe a new card in a new reader it rejects the swipe and tells you to insert the card so the chip can be read. It's unclear whether that decision is made locally at the reader (i.e. the mag strip contains some indication that the card contains a chip) or at the bank (the bank obviously know whether the card it issued has a chip or not). The best security for the bank would be the latter because it would be able to invalidate any cloning of mag-strip cards for an account where chip cards had been issued.
Comments
The former is a subset of the latter, so you are British.
WTF?! Now he saying he's from England but no Great Britain. Why even respond to that nonsense?
He's just being contrary, as usual. I agree, I should not indulge him.
I expected some issues with Apple Pay along these lines. It's the weak link. I'm sure this is one of the reasons why it was a U.S. only launch at first. Get these type of things nailed down before launching in other countries. It's a minor issue that could have become a major issue if Apple Pay was World Wide.
Glad to see it doesn't seem to be anything on Apple's end. It's the banks that really need to figure out what works best.
There is something that worries me about Apple Pay.
If someone sees you enter your Apple ID password when you're writing a review on the App Store, for instance, and then steal your Apple Pay-enabled iPhone, they could then go on a spending spree. Why? Because, when you use Apple Pay, if you get your fingerprint wrong three times, it defaults to password. Your iPhone then becomes a point of great insecurity, more so than if you didn't have Apple Pay set up.
I haven't used Apple Pay, so correct me if I'm wrong. Maybe if your fingerprint is rejected, you simply can't pay for stuff, but my understanding is that you can use the password as a backup.
Your AppleID password is not the same as your phone unlock password is it?
I thought you didn't need to unlock your iPhone to use Apple Pay. So if you have the Apple ID, you have Apple Pay, no?
If you use TouchID then you don't, but if you are going to enter an AppleID, how would you do that without first unlocking the device?
Sorry, I meant the phone unlock password, not your Apple ID password.
Okay, that makes sense. So if your fingerprint fails, you have to enter your phone unlock password, right? In which case, that does seem more secure, as you're unlikely to enter that password very often unless you restart your iPhone. It is still potentially somewhat risky, as if a thief got that password, they could wreak havoc.
Apple could have "nailed it down" by forcing banks to require card authentication, but I'm glad they didn't. In the long run it's best that the control is out of Apple's hands and in the hands of the banks and the customers that use those banks.
Reputable if you're a fan of loony left writing, yes.
You are another fine example of American exceptionalism as well as no child left behind.
Except he's British. Misguided, but British.
English, not British. The jury's out on misguided.
The former is a subset of the latter, so you are British.
No, I'm English.
Britain is not a country. England is. I'm as British as I am European; in other words, British means nothing.
Most people who live in England feel this way.
There is something that worries me about Apple Pay.
If someone sees you enter your Apple ID password when you're writing a review on the App Store, for instance, and then steal your Apple Pay-enabled iPhone, they could then go on a spending spree. Why? Because, when you use Apple Pay, if you get your fingerprint wrong three times, it defaults to password. Your iPhone then becomes a point of great insecurity, more so than if you didn't have Apple Pay set up.
I haven't used Apple Pay, so correct me if I'm wrong. Maybe if your fingerprint is rejected, you simply can't pay for stuff, but my understanding is that you can use the password as a backup.
Your AppleID password is not the same as your phone unlock password is it?
I thought you didn't need to unlock your iPhone to use Apple Pay. So if you have the Apple ID, you have Apple Pay, no?
If you use TouchID then you don't, but if you are going to enter an AppleID, how would you do that without first unlocking the device?
Sorry, I meant the phone unlock password, not your Apple ID password.
Okay, that makes sense. So if your fingerprint fails, you have to enter your phone unlock password, right? In which case, that does seem more secure, as you're unlikely to enter that password very often unless you restart your iPhone. It is still potentially somewhat risky, as if a thief got that password, they could wreak havoc.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
There is something that worries me about Apple Pay.
If someone sees you enter your Apple ID password when you're writing a review on the App Store, for instance, and then steal your Apple Pay-enabled iPhone, they could then go on a spending spree. Why? Because, when you use Apple Pay, if you get your fingerprint wrong three times, it defaults to password. Your iPhone then becomes a point of great insecurity, more so than if you didn't have Apple Pay set up.
I haven't used Apple Pay, so correct me if I'm wrong. Maybe if your fingerprint is rejected, you simply can't pay for stuff, but my understanding is that you can use the password as a backup.
Your AppleID password is not the same as your phone unlock password is it?
I thought you didn't need to unlock your iPhone to use Apple Pay. So if you have the Apple ID, you have Apple Pay, no?
If you use TouchID then you don't, but if you are going to enter an AppleID, how would you do that without first unlocking the device?
Sorry, I meant the phone unlock password, not your Apple ID password.
Okay, that makes sense. So if your fingerprint fails, you have to enter your phone unlock password, right? In which case, that does seem more secure, as you're unlikely to enter that password very often unless you restart your iPhone. It is still potentially somewhat risky, as if a thief got that password, they could wreak havoc.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
Sure. In the end, it comes down to that passcode, though, unless it doesn't. Guess I’ll find out in 2016, unless I get to use Apple Pay on my iPad first.
That's exactly it. Since your PIN/passcode is always the better the security than any biometric from the system's standpoint (exact v. close enough), the PIN/passcode is always there as an option.
Now, for those that have Touch ID on their devices and care about security I suggest they go into Settings » Touch ID & Passcode » Passcode to disable Simple Passcode. Since you only do this sparingly using a complex passcode that can utilize every letter, number and symbol available to you on an the virtual keyboard improves your security over a simple 4-digt PIN with 10,000 permutations. Not that 10,000 is easy to guess, but the larger number pad and a limitation of 4 numbers makes it easier to figure out if someone is watching from a distance.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
That's exactly it. Since your PIN/passcode is always the better the security than any biometric from the system's standpoint (exact v. close enough), the PIN/passcode is always there as an option.
Now, for those that have Touch ID on their devices and care about security I suggest they go into Settings » Touch ID & Passcode » Passcode to disable Simple Passcode. Since you only do this sparingly using a complex passcode that can utilize every letter, number and symbol available to you on an the virtual keyboard improves your security over a simple 4-digt PIN with 10,000 permutations. Not that 10,000 is easy to guess, but the larger number pad and a limitation of 4 numbers makes it easier to figure out if someone is watching from a distance.
Just be happy that you don't have to use a complex passcode on a non-TouchID phone. That requirement was recently implemented via the security profile on my business iPhone 5, and is an unbelievable pain in the ass - virtually unusable. Numbers, letters and special characters. Needless to say I immediately requested a 6.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
That's exactly it. Since your PIN/passcode is always the better the security than any biometric from the system's standpoint (exact v. close enough), the PIN/passcode is always there as an option.
Now, for those that have Touch ID on their devices and care about security I suggest they go into Settings » Touch ID & Passcode » Passcode to disable Simple Passcode. Since you only do this sparingly using a complex passcode that can utilize every letter, number and symbol available to you on an the virtual keyboard improves your security over a simple 4-digt PIN with 10,000 permutations. Not that 10,000 is easy to guess, but the larger number pad and a limitation of 4 numbers makes it easier to figure out if someone is watching from a distance.
It does strike me that there should be an option to disable Apple Pay completely if the fingerprint fails three times, rather than allowing the fallback to a passcode. That way, your iPhone doesn't become vulnerable in the event of it being stolen. You could simply be required to restart your iPhone and re-enter both your unlock passcode and your AppleID password.
Cumbersome in the event of a fingerprint failure, perhaps, but ultimately more secure.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
That's exactly it. Since your PIN/passcode is always the better the security than any biometric from the system's standpoint (exact v. close enough), the PIN/passcode is always there as an option.
Now, for those that have Touch ID on their devices and care about security I suggest they go into Settings » Touch ID & Passcode » Passcode to disable Simple Passcode. Since you only do this sparingly using a complex passcode that can utilize every letter, number and symbol available to you on an the virtual keyboard improves your security over a simple 4-digt PIN with 10,000 permutations. Not that 10,000 is easy to guess, but the larger number pad and a limitation of 4 numbers makes it easier to figure out if someone is watching from a distance.
It does strike me that there should be an option to disable Apple Pay completely if the fingerprint fails three times, rather than allowing the fallback to a passcode. That way, your iPhone doesn't become vulnerable in the event of it being stolen. You could simply be required to restart your iPhone and re-enter both your unlock passcode and your AppleID password.
Cumbersome in the event of a fingerprint failure, perhaps, but ultimately more secure.
What's required to register a new fingerprint? Just the phone passcode, or something more?
Just the phone passcode. They should make it your Apple ID as well.
Actually I don't yet have a phone that supports ApplePay, so I don't know exactly what the options and procedures are if TouchID fails for a transaction. I'm sure that it starts with unlocking the phone with its passcode though, which should be a secure one on a TouchID-enabled phone.
That's exactly it. Since your PIN/passcode is always the better the security than any biometric from the system's standpoint (exact v. close enough), the PIN/passcode is always there as an option.
Now, for those that have Touch ID on their devices and care about security I suggest they go into Settings » Touch ID
It does strike me that there should be an option to disable Apple Pay completely if the fingerprint fails three times, rather than allowing the fallback to a passcode. That way, your iPhone doesn't become vulnerable in the event of it being stolen. You could simply be required to restart your iPhone and re-enter both your unlock passcode and your AppleID password.
Cumbersome in the event of a fingerprint failure, perhaps, but ultimately more secure.
What's required to register a new fingerprint? Just the phone passcode, or something more?
Just the phone passcode. They should make it your Apple ID as well.
Well in that case, if a thief gets your phone and knows the (hopefully complex) passcode (very bad opsec if that happens, of course) then at a minimum he can register a new fingerprint and use ApplePay via TouchID.
Thats why i use a longer password so is harder for people to see. But if it does happen i would sujest borrowing an iphone as quick as possible and put your iphone in lost mode ASAP!
Anecdote: When Apple first introduced the iPhone Enterprise Tool (not sue of exact name) I used it to create a complex passcode. It was a pain in the ass to do a hundred+ times per day.
The original option would force the QWERTY keyboard to appear, even if you did something like add or reduce the number of digits from 4. On the one hand the alphanumic keyboard does add additional security for a PIN, on the other it's annoying to use. Now if you have only digits the number pad will be selected for you, and, of course, it's built-into iOS wothout using a kludge.
Bottom line; Why would anybody cite anything from The Guardian (or any UK rag)?
More to the point - why would they NOT do that ??
Visa just announced a service they will be offering people a higher level of security who do not have ApplePay. ... Also if you do an online order it has be done within in a certain range of the phone's home location
Well that makes life difficult, although I guess it depends upon the size of the "certain range".
If I buy stuff at home it's not done using my phone. If I buy anything using my phone then it'll always be away from home.
Shades of "who sold you that idea, then ??"
I can't wait for chip and pin to be the standard in the US.
Please don't hold your breath. What's coming is chip+signature, not chip+PIN (with a few possible exceptions).
But chip+sig is a lot better than swipe cards because cloning isn't possible.
Is it impossible, or just considerably more difficult?
But chip+sig is a lot better than swipe cards because cloning isn't possible.
Is it impossible, or just considerably more difficult?
My understanding, which could be imperfect, is that certain parts of the chip are write-only and can't be read. So the issuing bank sets certain info into specific parts of the chip. A terminal (reader device) can request certain functions to be performed against the "secret stuff" written into the chip, but that can't be retrieved and cloned onto a new chip. Other parts of the chip can be read and written -- a PIN code can be changed, for example, on a chip+PIN card.
Digressing for a moment back to AP - when you register a card you specify the number printed on the card (Primary Account Number - PAN) and verify your identity, and the issuer (Visa etc) gives you (i.e. your iPhone) a DIFFERENT number, the Device Access Number (DAN). This looks for all the world like a standard credit card (PAN) number, e.g if it's Visa then it's sixteen digits, starts with "4", etc, etc. But Visa knows that it is NOT a PAN and therefore can't be used as one. Any transactions using this DAN must have the accompanying crypto signature in order to be accepted. This PAN - DAN stuff is the essence of "tokenization" as established by the credit card issuers group (EuroPay/MasterCard/Visa - EMV) and implemented by Apple within Apple Pay.
We know that existing chip cards do NOT use tokenization - it's newer than the chip cards. Updated versions almost certainly will but that's in the future. So the current generation of chip cards uses the PAN, but with a chip-handshake between the card and the bank.
Chip-capable terminals (readers) include the ability to read old-style swipe cards. And new chip cards also include the old-style stripe so they can be used on old-style readers (not chip-capable). But if you swipe a new card in a new reader it rejects the swipe and tells you to insert the card so the chip can be read. It's unclear whether that decision is made locally at the reader (i.e. the mag strip contains some indication that the card contains a chip) or at the bank (the bank obviously know whether the card it issued has a chip or not). The best security for the bank would be the latter because it would be able to invalidate any cloning of mag-strip cards for an account where chip cards had been issued.