I don't believe you are correct. As I understand it, the fingerprint data on the phone is not accessible, Apple does not have your fingerprints -- the fingerprint data on the iPhone cannot be read or dumped. It's a one-way cypher. The iPhone merely determines if the last touchID finger image matches the stored data.
And even if Apple (or someone else) were to get ahold of the data in the Secure Enclave it still wouldn't translate to an image of your fingerprint.
I am glad that this happened on the ApplePay and not something else. At least you have an industry leader known for their quality and their pursuit of perfection and I am sure that Apple (if there is really a problem) will step up and lead to find a solution.
Can you imagine if this happened on a non-iOS product?? who would have taken the lead on that, the banks or the phone manufacturer or the OS provider or the payment networks?
It would take forever to get all of these parties to even agree on what the problem is and how to solve.
Go Apple, you are doing the right thing. If you were not, no one would have cared to read or comment
You can use a fingerprint, but the print of a finger is not required. You can use most parts of your body, your pet's paw, or pretty anything else that that has also has some electrical resonance to it. The only think that seems to really be a requirement is touch.
-All credit cards have detailed information about the cardholder. They have names and billing addresses. These information have to be also when registering an appleid? If this information is not the same then it cant be anything other than a scam attempt?! And there are other aspects regarding security checks that can be used to sort out scammers.
Eg.
Can the same card be registered to several itunes accounts?
What country the card is registered in?
What kind of appleid account is it (old creditcard or some kind of bogus giftcard account?) And if you think about this REALLY... HOW hard is it to track down this device that was used for the scam purchace??? It involves nothing more than to track the device and give its location to police and so on... To me this sounds nothing more than a low IQ common criminal.
Sure, but we're talking about very little effort to create a great deal more security that will result in less costs to the bank (or the insurance company they pay for fraud claims which they then have to pay into with each renewed contract), as well other issues that can hurt a bank's brand. It's clearly about money for not investing in that little bit of extra work, but it's the shortsightedness I mention.
Security that is not just band-aids takes much more than a little effort. I think it was Linus Torvalds (or maybe Edsgar Dijkstra) who was quoted as saying (though I haven't found the quote) that the biggest security problem is code with bugs.
Security that is not just band-aids takes much more than a little effort. I think it was Linus Torvalds (or maybe Edsgar Dijkstra) who was quoted as saying (though I haven't found the quote) that the biggest security problem is code with bugs.
Again, it's not a Band-Aid to call to have a CSR verify answers to challenge questions before making ?Pay work for that card. Your incessant defense of banks not having the time, money, or aptitude to have a customer call up a help desk with a supplied phone number is as abhorrent as it is ridiculous.
As for mentioning bugs in code, I have no idea what the **** that is referring to since we're talking about authorizing a user's card, not about designing an encryption method.
To me this whole thing seems just so idiotic. Why would someone be so STUPID to try something like that? Apple has your fingerprint and your phone ID and your other credentials. Why pair other peoples credit cards to your phone? Seems just like a shure way to get cought and get your ass jailed??? Man, its like making a burglary and leaving your drivers license on the floor?!?!
Because it worked. You can hand type all the info which would be easy to get with a smart phone camera and a few seconds with the card (like you might have at a restaurant where they take your card away to swipe it rather than do it in front of you. The banks weren't doing anything to verify its you
And Apple doesn't have your fingerprint. That is encoded into the secure element and never leaves the phone. It isn't backed up etc. or you can use your passcode for Apple Pay
Between Apple and the issuing banks, someone certainly dropped the ball
There's no 'between'. Apple was never the issue. They provided the means for the banks to have verification if the bank chose to do it. The banks didn't all do it.
This an interesting point. Since the merchant can't see the CC data, they have no way to compare the drivers license. Many places require the card to be present along with photo ID. The post office is one that I know off hand.
In violation of basically all card merchant agreements. They all say that you can't ask to see an id to take a card. If it is presented you check that it's signed. If yes, take it. If no, it's not valid so refuse it. I believe it's Discover that lets you ask for ID, demand the card is signed and then you can take it.
Smart card thieves know this and will use it to raise a fuss. I remember one guy actually had copies of the merchant agreements on him. My manager used it against him to refuse the cards because they weren't signed when first presented. We only found out later that the guy had been in several stories buying tons of stuff and they had fraud charge backs. It was a high end mall so the companies reviewed camera tape to find who was rung up after a comment at a mall meeting made them realize they had all encountered the same guy.
Because it worked. You can hand type all the info which would be easy to get with a smart phone camera and a few seconds with the card (like you might have at a restaurant where they take your card away to swipe it rather than do it in front of you. The banks weren't doing anything to verify its you
And Apple doesn't have your fingerprint. That is encoded into the secure element and never leaves the phone. It isn't backed up etc. or you can use your passcode for Apple Pay
If you buy with REGULAR Visa vard here in Finland its certainly made clear that the merhant takes the risk of loosing transaction credit if they don't do verification of id. This is also the case on buying online with creditcard. If the delivery address is NOT the same as on the order as the card billing address then the payment wont be accepted.
But in THIS case you cant/shouldnt check these in the store? Its the BANKS problem if it fails to identify phone owner with card ownership. And the only one to blame is the bank. The merchant cant do much if you cant check card user/payment details vs user id?
Comments
And even if Apple (or someone else) were to get ahold of the data in the Secure Enclave it still wouldn't translate to an image of your fingerprint.
At least you have an industry leader known for their quality and their pursuit of perfection and I am sure that Apple (if there is really a problem) will step up and lead to find a solution.
Can you imagine if this happened on a non-iOS product?? who would have taken the lead on that, the banks or the phone manufacturer or the OS provider or the payment networks?
It would take forever to get all of these parties to even agree on what the problem is and how to solve.
Go Apple, you are doing the right thing. If you were not, no one would have cared to read or comment
You can use a fingerprint, but the print of a finger is not required. You can use most parts of your body, your pet's paw, or pretty anything else that that has also has some electrical resonance to it. The only think that seems to really be a requirement is touch.
- http://fullyc.com/7-non-finger-things-you-can-use-to-unlock-the-iphone-5s/
I don't understand this question and comment.Consider this...
-All credit cards have detailed information about the cardholder. They have names and billing addresses. These information have to be also when registering an appleid? If this information is not the same then it cant be anything other than a scam attempt?! And there are other aspects regarding security checks that can be used to sort out scammers.
Eg.
Can the same card be registered to several itunes accounts?
What country the card is registered in?
What kind of appleid account is it (old creditcard or some kind of bogus giftcard account?) And if you think about this REALLY... HOW hard is it to track down this device that was used for the scam purchace??? It involves nothing more than to track the device and give its location to police and so on... To me this sounds nothing more than a low IQ common criminal.
Sure, but we're talking about very little effort to create a great deal more security that will result in less costs to the bank (or the insurance company they pay for fraud claims which they then have to pay into with each renewed contract), as well other issues that can hurt a bank's brand. It's clearly about money for not investing in that little bit of extra work, but it's the shortsightedness I mention.
Security that is not just band-aids takes much more than a little effort. I think it was Linus Torvalds (or maybe Edsgar Dijkstra) who was quoted as saying (though I haven't found the quote) that the biggest security problem is code with bugs.
Again, it's not a Band-Aid to call to have a CSR verify answers to challenge questions before making ?Pay work for that card. Your incessant defense of banks not having the time, money, or aptitude to have a customer call up a help desk with a supplied phone number is as abhorrent as it is ridiculous.
As for mentioning bugs in code, I have no idea what the **** that is referring to since we're talking about authorizing a user's card, not about designing an encryption method.
Because it worked. You can hand type all the info which would be easy to get with a smart phone camera and a few seconds with the card (like you might have at a restaurant where they take your card away to swipe it rather than do it in front of you. The banks weren't doing anything to verify its you
And Apple doesn't have your fingerprint. That is encoded into the secure element and never leaves the phone. It isn't backed up etc. or you can use your passcode for Apple Pay
There's no 'between'. Apple was never the issue. They provided the means for the banks to have verification if the bank chose to do it. The banks didn't all do it.
In violation of basically all card merchant agreements. They all say that you can't ask to see an id to take a card. If it is presented you check that it's signed. If yes, take it. If no, it's not valid so refuse it. I believe it's Discover that lets you ask for ID, demand the card is signed and then you can take it.
Smart card thieves know this and will use it to raise a fuss. I remember one guy actually had copies of the merchant agreements on him. My manager used it against him to refuse the cards because they weren't signed when first presented. We only found out later that the guy had been in several stories buying tons of stuff and they had fraud charge backs. It was a high end mall so the companies reviewed camera tape to find who was rung up after a comment at a mall meeting made them realize they had all encountered the same guy.
Because it worked. You can hand type all the info which would be easy to get with a smart phone camera and a few seconds with the card (like you might have at a restaurant where they take your card away to swipe it rather than do it in front of you. The banks weren't doing anything to verify its you
And Apple doesn't have your fingerprint. That is encoded into the secure element and never leaves the phone. It isn't backed up etc. or you can use your passcode for Apple Pay
If you buy with REGULAR Visa vard here in Finland its certainly made clear that the merhant takes the risk of loosing transaction credit if they don't do verification of id. This is also the case on buying online with creditcard. If the delivery address is NOT the same as on the order as the card billing address then the payment wont be accepted.
But in THIS case you cant/shouldnt check these in the store? Its the BANKS problem if it fails to identify phone owner with card ownership. And the only one to blame is the bank. The merchant cant do much if you cant check card user/payment details vs user id?