I couldn't believe that one of my cards had no authorization system in place when I added it to ?Pay. I hope their shortsightedness has been corrected, but I don't understand why they felt it was OK to announce their system was ready when they failed to have a basic system in place. They could have even made it as simple as calling their help desk to have a CSR verify your identity with challenge questions before authorizing the card for payments.
The only card I added was AMEX and it went right through no questions asked. I did receive a text and an email immediately though. If any organization would have their act together it would be AMEX. I'm assuming they used some other means to verify me that was going on behind the scenes.
With ACH, the system has no way of verifying anything and will accept any name and number. So it's entirely possible for a phone representative to pay someone elses account with your ACH payment information because there is no verification. This is just how banks work.
I'm not sure that this is quite true but I agree that ACH security is quite poor.
As an example, I believe that if there is an authorization for ACH transfers on your account (and Citi does have this) then it's bi-directional. There is no way to say "I permit transfers into my account but no transfers out". Which means that if your employer does direct-deposit (via ACH, as is standard) then they can drain your account. WTF ?!?
The only card I added was AMEX and it went right through no questions asked. I did receive a text and an email immediately though. If any organization would have their act together it would be AMEX. I'm assuming they used some other means to verify me that was going on behind the scenes.
The text and email will probably shut down most of the fraudulent "adds". I'm sure that if I got one for one of my cards that I didn't just add, then I'd be on the phone right away.
But your comment about "other means" got me thinking: Apple does provide certain info to the bank as part of the "add" provisioning process - I think that your current location is included, for example. So I wonder if it also includes something about other cards you might have registered in Apple Pay? If you had, and the names were different, then that would be a big red flag. But if they were all the same then banks could be more confident that it really was you. I wonder ... ?
I agree. I'm giving you the benefit of the doubt that you mean this -- if ?Pay is being used for fraud, it will taint ?Pay whether It's Apple's fault or its partners. Who is the bigger name here, Apple or the numerous unnamed banks?
But I will go one step further ... Apple can design the most secure system in the world, but if they allow their partners to leave the back door open, then they are culpable. Apple is notorious for dictating terms of use, all they had to say to their partner banks is they can't implement ?Pay until they can assure secure registration by their customers. No doubt this is the banks fault, but Apple shares some of the blame for allowing their system to be used in this way, especially since they know more than anyone the headline will read "?Pay security breach".
But your comment about "other means" got me thinking:
Yes they send the mobile phone number, iTunes account and Apple ID information, all having my name listed. As you mentioned they also send the location, which in my case, was my home, where the address matched the AMEX account. In addition, they have the IP information, which is also close by, although that would be less reliable than the other information, however in conjunction, just further verification..
I agree. I'm giving you the benefit of the doubt that you mean this -- if ?Pay is being used for fraud, it will taint ?Pay whether It's Apple's fault or its partners. Who is the bigger name here, Apple or the numerous unnamed banks?
But I will go one step further ... Apple can design the most secure system in the world, but if they allow their partners to leave the back door open, then they are culpable. Apple is notorious for dictating terms of use, all they had to say to their partner banks is they can't implement ?Pay until they can assure secure registration by their customers. No doubt this is the banks fault, but Apple shares some of the blame for allowing their system to be used in this way, especially since they know more than anyone the headline will read "?Pay security breach".
We get it. The glass is 0.1% empty. Apple's shiny name must be soiled.
You're not giving Apple any credit for securing transactions (no more CC theft from POS terminals or card skimming), and you are blaming Apple for some banks not validating credit cards registered with Apple Pay. This sounds suspiciously trollish. Like the people who wanted to pin all Foxconn factory labor violations on Apple, despite everything Apple does to combat the issue.
Culpable? Only if you arbitrarily assign them responsibility for validating registered credit cards. If your bank isn't doing enough to protect its customers, consider demanding that they do, because, you are their customer. If it were my bank, I wouldn't let them off the hook for security. Unless you are just looking for a reason to blame Apple for something.
We get it. The glass is 0.1% empty. Apple's shiny name must be soiled. You're not giving Apple any credit for securing transactions
Apple knows anything attached to ?Pay however remotely is going to reflect on them. I'd prefer this story be reported the way it should be, but that's not how the world works, and Apple knows it.
And read what I actually wrote, I gave apple full credit for developing a secure system. But what have they done to make sure their partners are protecting their end? It would seem nothing. All Apple has to say to their partners is -- you can't use Apple Pay unless you meet minimum requirements to prevent criminals from using our system for fraud. But it would seem such a simple step has not been taken, and banks have dropped the ball allowing their incompetence to sully Apple's achievements in the media. Nobody is talking about how secure ?Pay is, but rather how it's being used for fraud. People don't care whose fault it is, all they hear is ?Pay & fraud. And Apple has a duty to itself, if no one else, to make sure it's partners can't damage the reputation of their product.
Apple is one of the most trustworthy cardholders in the world for years with iTunes Store and Apple Store operations. Maybe Apple gave too much autonomy to the banks that weren%u2019t properly prepared. If Apple operate alone probably these problems could not be occurring.
We don't even know for sure if banks are facing real problems with frauds in their approval process for credit cards. As everything related to Apple, this story smells too much like just another irresponsible rush for pageviews.
Apple knows anything attached to ?Pay however remotely is going to reflect on them. I'd prefer this story be reported the way it should be, but that's not how the world works, and Apple knows it.
That's right, which is why Apple should never do anything if even the weakest of connections with Apple will cause sensationalist rag sites create a headline devised to get more page clicks. Apple should have never made ?Pay and we would all be better off¡
2) The device doesn't need a valid SIM card for it to be connected to the Internet and otherwise working.
3) You don't need to use your fingerprint with Touch ID.
4) There is no evidence Apple copies your Touch ID prints and then uploads to their servers. In fact I'm quite certain they don't, not to mention that Touch ID doesn't take a photograph of your fingerprint.
I really dont understand number 3. Please explain. I tought touch ID reads your print?!? Have I really understood this wrong? And the second thing is where I live if cardholder details dont match up on the service (itunes, web application, applepay?) then it shouldnt go trough...
I really dont understand number 3. Please explain. I tought touch ID reads your print?!? Have I really understood this wrong?
You can use a fingerprint, but the print of a finger is not required. You can use most parts of your body, your pet's paw, or pretty anything else that that has also has some electrical resonance to it. The only think that seems to really be a requirement is touch.
And the second thing is where I live if cardholder details dont match up on the service (itunes, web application, applepay?) then it shouldnt go trough...
What on earth are you talking about? This fraud had nothing to do with regular consumers using Apple Pay. The victims are not necessarily Apple customers at all. The criminals used stolen CC data to create Apple Pay access to those stolen accounts because of weak bank protocols.
How can the average Joe iPhone 6 owner using Apple Pay cause fraud to occur?
Hes a known troll, and I already have him blocked. Best not to feed the trolls.
Online stolen credit card bazaars provide all the information that some banks were requiring for registration with ?Pay.
No legitimate user of ?Pay was ever at risk of fraud or theft.
But - thieves who acquired credentials have obviously been able to register stolen cards using ?Pay.
Due to the implied security of ?Pay's design, this meant they they could make multi-thousand-dollar purchases without even showing a photo ID.
This has everything to do with ?Pay. Between Apple and the issuing banks, someone certainly dropped the ball. Apparently the loophole is being closed.
I'm continually amazed at the number of posters here who believe apple to be infallible, impermeable and invincible.
Keep slurping that kool-aid, folks...
This has NOTHING to do with ?PAY, the system has not been breached, as everything is working as it should be. You just love trolling. Learn to read, this issue stems from the BANKS not doing any verification on new activations, a BIG no-no!
So thanks, but we're not slurping any kook-aid (poison btw), we just know how to read and how to understand the truth. You, just like to troll.
This an interesting point. Since the merchant can't see the CC data, they have no way to compare the drivers license. Many places require the card to be present along with photo ID. The post office is one that I know off hand.
Sure they can. They can see everything that goes through their terminal. What they don't see is the physical card's number, but rather the data for the represtnaial number that is tied to your account. They can still track that data when you do purchases.
Sure they can. They can see everything that goes through their terminal. What they don't see is the physical card's number, but rather the data for the represtnaial number that is tied to your account. They can still track that data when you do purchases.
Really? The check out clerk can see the name on the credit card? Everywhere I have used ?Pay they just wait for the receipt to pop up. Where does the name on card display?
Really? The check out clerk can see the name on the credit card? Everywhere I have used ?Pay they just wait for the receipt to pop up. Where does the name on card display?
Oh, you mean the employee at the register? I thought you meant the merchant, as in the company in which you're making the purchase, as well as all others involved with the actual digital transaction, regarding the verification, allocation, and transfer of funds from your account to theirs.
I couldn't believe that one of my cards had no authorization system in place when I added it to ?Pay. I hope their shortsightedness has been corrected, but I don't understand why they felt it was OK to announce their system was ready when they failed to have a basic system in place. They could have even made it as simple as calling their help desk to have a CSR verify your identity with challenge questions before authorizing the card for payments.
Banks like other corporations exist to make money for their CEO's and investors, with no laws in place or enforced to make the CEO's and investors liable for incompetence or mistake. Banks don't care and they don't have to. It's a cost of doing business, which, of course, we pay for. Since they own the politicians, nothing will change.
Banks like other corporations exist to make money for their CEO's and investors, with no laws in place or enforced to make the CEO's and investors liable for incompetence or mistake. Banks don't care and they don't have to. It's a cost of doing business, which, of course, we pay for. Since they own the politicians, nothing will change.
Sure, but we're talking about very little effort to create a great deal more security that will result in less costs to the bank (or the insurance company they pay for fraud claims which they then have to pay into with each renewed contract), as well other issues that can hurt a bank's brand. It's clearly about money for not investing in that little bit of extra work, but it's the shortsightedness I mention.
To me this whole thing seems just so idiotic. Why would someone be so STUPID to try something like that? Apple has your fingerprint and your phone ID and your other credentials. Why pair other peoples credit cards to your phone? Seems just like a shure way to get cought and get your ass jailed??? Man, its like making a burglary and leaving your drivers license on the floor?!?!
I don't believe you are correct. As I understand it, the fingerprint data on the phone is not accessible, Apple does not have your fingerprints -- the fingerprint data on the iPhone cannot be read or dumped. It's a one-way cypher. The iPhone merely determines if the last touchID finger image matches the stored data.
Comments
I couldn't believe that one of my cards had no authorization system in place when I added it to ?Pay. I hope their shortsightedness has been corrected, but I don't understand why they felt it was OK to announce their system was ready when they failed to have a basic system in place. They could have even made it as simple as calling their help desk to have a CSR verify your identity with challenge questions before authorizing the card for payments.
The only card I added was AMEX and it went right through no questions asked. I did receive a text and an email immediately though. If any organization would have their act together it would be AMEX. I'm assuming they used some other means to verify me that was going on behind the scenes.
With ACH, the system has no way of verifying anything and will accept any name and number. So it's entirely possible for a phone representative to pay someone elses account with your ACH payment information because there is no verification. This is just how banks work.
I'm not sure that this is quite true but I agree that ACH security is quite poor.
As an example, I believe that if there is an authorization for ACH transfers on your account (and Citi does have this) then it's bi-directional. There is no way to say "I permit transfers into my account but no transfers out". Which means that if your employer does direct-deposit (via ACH, as is standard) then they can drain your account. WTF ?!?
The text and email will probably shut down most of the fraudulent "adds". I'm sure that if I got one for one of my cards that I didn't just add, then I'd be on the phone right away.
But your comment about "other means" got me thinking: Apple does provide certain info to the bank as part of the "add" provisioning process - I think that your current location is included, for example. So I wonder if it also includes something about other cards you might have registered in Apple Pay? If you had, and the names were different, then that would be a big red flag. But if they were all the same then banks could be more confident that it really was you. I wonder ... ?
But I will go one step further ... Apple can design the most secure system in the world, but if they allow their partners to leave the back door open, then they are culpable. Apple is notorious for dictating terms of use, all they had to say to their partner banks is they can't implement ?Pay until they can assure secure registration by their customers. No doubt this is the banks fault, but Apple shares some of the blame for allowing their system to be used in this way, especially since they know more than anyone the headline will read "?Pay security breach".
But your comment about "other means" got me thinking:
Yes they send the mobile phone number, iTunes account and Apple ID information, all having my name listed. As you mentioned they also send the location, which in my case, was my home, where the address matched the AMEX account. In addition, they have the IP information, which is also close by, although that would be less reliable than the other information, however in conjunction, just further verification..
I agree. I'm giving you the benefit of the doubt that you mean this -- if ?Pay is being used for fraud, it will taint ?Pay whether It's Apple's fault or its partners. Who is the bigger name here, Apple or the numerous unnamed banks?
But I will go one step further ... Apple can design the most secure system in the world, but if they allow their partners to leave the back door open, then they are culpable. Apple is notorious for dictating terms of use, all they had to say to their partner banks is they can't implement ?Pay until they can assure secure registration by their customers. No doubt this is the banks fault, but Apple shares some of the blame for allowing their system to be used in this way, especially since they know more than anyone the headline will read "?Pay security breach".
We get it. The glass is 0.1% empty. Apple's shiny name must be soiled.
You're not giving Apple any credit for securing transactions (no more CC theft from POS terminals or card skimming), and you are blaming Apple for some banks not validating credit cards registered with Apple Pay. This sounds suspiciously trollish. Like the people who wanted to pin all Foxconn factory labor violations on Apple, despite everything Apple does to combat the issue.
Culpable? Only if you arbitrarily assign them responsibility for validating registered credit cards. If your bank isn't doing enough to protect its customers, consider demanding that they do, because, you are their customer. If it were my bank, I wouldn't let them off the hook for security. Unless you are just looking for a reason to blame Apple for something.
And read what I actually wrote, I gave apple full credit for developing a secure system. But what have they done to make sure their partners are protecting their end? It would seem nothing. All Apple has to say to their partners is -- you can't use Apple Pay unless you meet minimum requirements to prevent criminals from using our system for fraud. But it would seem such a simple step has not been taken, and banks have dropped the ball allowing their incompetence to sully Apple's achievements in the media. Nobody is talking about how secure ?Pay is, but rather how it's being used for fraud. People don't care whose fault it is, all they hear is ?Pay & fraud. And Apple has a duty to itself, if no one else, to make sure it's partners can't damage the reputation of their product.
We don't even know for sure if banks are facing real problems with frauds in their approval process for credit cards. As everything related to Apple, this story smells too much like just another irresponsible rush for pageviews.
That's right, which is why Apple should never do anything if even the weakest of connections with Apple will cause sensationalist rag sites create a headline devised to get more page clicks. Apple should have never made ?Pay and we would all be better off¡
1) It could be a stolen iPhone.
2) The device doesn't need a valid SIM card for it to be connected to the Internet and otherwise working.
3) You don't need to use your fingerprint with Touch ID.
4) There is no evidence Apple copies your Touch ID prints and then uploads to their servers. In fact I'm quite certain they don't, not to mention that Touch ID doesn't take a photograph of your fingerprint.
I really dont understand number 3. Please explain. I tought touch ID reads your print?!? Have I really understood this wrong? And the second thing is where I live if cardholder details dont match up on the service (itunes, web application, applepay?) then it shouldnt go trough...
You can use a fingerprint, but the print of a finger is not required. You can use most parts of your body, your pet's paw, or pretty anything else that that has also has some electrical resonance to it. The only think that seems to really be a requirement is touch.
I don't understand this question and comment.
So what would we call a '-gate' that is actually about water?
This has NOTHING to do with ?PAY, the system has not been breached, as everything is working as it should be. You just love trolling. Learn to read, this issue stems from the BANKS not doing any verification on new activations, a BIG no-no!
So thanks, but we're not slurping any kook-aid (poison btw), we just know how to read and how to understand the truth. You, just like to troll.
This an interesting point. Since the merchant can't see the CC data, they have no way to compare the drivers license. Many places require the card to be present along with photo ID. The post office is one that I know off hand.
Sure they can. They can see everything that goes through their terminal. What they don't see is the physical card's number, but rather the data for the represtnaial number that is tied to your account. They can still track that data when you do purchases.
Since the merchant can't see the CC data...
Sure they can. They can see everything that goes through their terminal. What they don't see is the physical card's number, but rather the data for the represtnaial number that is tied to your account. They can still track that data when you do purchases.
Really? The check out clerk can see the name on the credit card? Everywhere I have used ?Pay they just wait for the receipt to pop up. Where does the name on card display?
Oh, you mean the employee at the register? I thought you meant the merchant, as in the company in which you're making the purchase, as well as all others involved with the actual digital transaction, regarding the verification, allocation, and transfer of funds from your account to theirs.
I couldn't believe that one of my cards had no authorization system in place when I added it to ?Pay. I hope their shortsightedness has been corrected, but I don't understand why they felt it was OK to announce their system was ready when they failed to have a basic system in place. They could have even made it as simple as calling their help desk to have a CSR verify your identity with challenge questions before authorizing the card for payments.
Banks like other corporations exist to make money for their CEO's and investors, with no laws in place or enforced to make the CEO's and investors liable for incompetence or mistake. Banks don't care and they don't have to. It's a cost of doing business, which, of course, we pay for. Since they own the politicians, nothing will change.
Sure, but we're talking about very little effort to create a great deal more security that will result in less costs to the bank (or the insurance company they pay for fraud claims which they then have to pay into with each renewed contract), as well other issues that can hurt a bank's brand. It's clearly about money for not investing in that little bit of extra work, but it's the shortsightedness I mention.
To me this whole thing seems just so idiotic. Why would someone be so STUPID to try something like that? Apple has your fingerprint and your phone ID and your other credentials. Why pair other peoples credit cards to your phone? Seems just like a shure way to get cought and get your ass jailed??? Man, its like making a burglary and leaving your drivers license on the floor?!?!
I don't believe you are correct. As I understand it, the fingerprint data on the phone is not accessible, Apple does not have your fingerprints -- the fingerprint data on the iPhone cannot be read or dumped. It's a one-way cypher. The iPhone merely determines if the last touchID finger image matches the stored data.