Rejigged iOS Security Guide details Apple Pay Cash, other iOS 11 improvements

Posted:
in iOS edited January 11
Apple on Thursday unveiled a revised edition of its mobile security white paper, adding details on iOS 11.1 and 11.2 for information security professionals and intellectually curious users.




The biggest change to the oft-updated guide is a new section dedicated to Apple Pay Cash, Apple's recently released peer-to-peer payments feature that works inside of Messages. Apple Pay Cash debuted last month with iOS 11.2.

According to the document, Apple Pay Cash transactions are processed in a fashion not unlike standard Apple Pay:
When the user sends money with Apple Pay, adds money to an Apple Pay Cash account, or transfers money to a bank account, a call is made to the Apple Pay Servers to obtain a cryptographic nonce, which is similar to the value returned for Apple Pay within apps. The nonce, along with other transaction data, is passed to the Secure Element to generate a payment signature. When the payment signature comes out of the Secure Element, its passed to the Apple Pay Servers. The authentication, integrity, and correctness of the transaction is verified via the payment signature and the nonce by Apple Pay Servers. Money transfer is then initiated and the user is notified of transaction completion.
The document reveals that identity confirmation data - which Apple says is requested if an Apple Pay Cash balance reaches a predefined amount or if unusual activity is detected - is transmitted to the company's verification partner. Apple itself does not receive and cannot access that data, and the partner is unnamed.

Other changes include updates to security certifications, shared notes, CloudKit end-to-end encryption, standard Apple Pay, Shared iPad in educational environments, and Siri Suggestions. Face ID security measures, covered in a separate white paper, are also folded in.

Comments

  • Reply 1 of 9
    Interesting. I’m curious to know how much, if any, anonymity there is in these transfers. Granted, it would be clear when you transfer money to and from your bank. But if I move money onto and off of my Apple Pay Cash card from/to other APC users is there a record of who made those transfers?

    Also, if I have money on my APC “card” and use that to purchase something, where does the the merchant get their money from? And can that purchase be traced back to me (assuming I didn’t use a loyalty card or something similar that would identify me). 
    edited January 11 watto_cobra
  • Reply 2 of 9
    I was sent $75.  It showed up as Apple Pay Cash.

    I then attempted to send $81 to someone else.  I only had my credit card information entered.

    Adding the $6 didn’t work.  I was required to enter another account to transfer money into Apple Pay Cash.

    My understanding was with sending money using Apple Pay you could send money using a credit card ‘as the source’ but you would be charged the credit card fee of 3% vs. nothing when using an ATM card. That doesn’t seem to be true...

    I also couldn’t transfer the $75 (Apple Pay Cash) to my credit card.

    I ordered an ATM card for my checking account.

    The point is with retailers Apple Pay only requires a credit card.  But using Apple Pay Cash requires another account to be entered.

    I was doing all this to test how it worked.  If I’m mistaken correct me.
  • Reply 3 of 9
    Interesting. I’m curious to know how much, if any, anonymity there is in these transfers. Granted, it would be clear when you transfer money to and from your bank. But if I move money onto and off of my Apple Pay Cash card from/to other APC users is there a record of who made those transfers?

    Also, if I have money on my APC “card” and use that to purchase something, where does the the merchant get their money from? And can that purchase be traced back to me (assuming I didn’t use a loyalty card or something similar that would identify me). 
    The sender has no anonymity.  And the receiver is revealed in the senders transaction history.  The receiver shows who sent it, and a transaction ID.

    But the recipient probably does have a degree on anonymity until they take the money out of Apple Pay Cash.  Or, someone has access to the senders account.

    I’m sure law enforcement can contact Apple and get everything, but they’d need to know to look there.

    The question is what would happen if all the senders and recipients used Apple Pay.  You could probably do some crazy money laundering, but it would be the same as using something like PayPal.

    This just adds something new to the criminal/law enforcement dance. 
  • Reply 4 of 9
    Interesting. I’m curious to know how much, if any, anonymity there is in these transfers. Granted, it would be clear when you transfer money to and from your bank. But if I move money onto and off of my Apple Pay Cash card from/to other APC users is there a record of who made those transfers?

    Also, if I have money on my APC “card” and use that to purchase something, where does the the merchant get their money from? And can that purchase be traced back to me (assuming I didn’t use a loyalty card or something similar that would identify me). 
    I assume the merchant purchase would take the money out of Apple Pay Cash first, then whatever other account you have tied to Apple Pay.  It wouldn’t make sense doing it another way otherwise they could be eating the credit card fees.

    Yes.  The merchant knows who you are... there is still a money trail.

    But it’s not like they can initiate another transaction without your approval.
  • Reply 5 of 9
    It seems like this technology can be extended to Apple Banking.  But where it would get interesting would be things like “overdraft protection” which would make Apple also a loan company.  I suppose Apple could outsource that part...

    But since Apple is ‘holding” money as Apple Pay Cash, doesn’t that already make them a bank?  I wonder what kinds of regulations they’re dealing with...
  • Reply 6 of 9
    Interesting. I’m curious to know how much, if any, anonymity there is in these transfers. Granted, it would be clear when you transfer money to and from your bank. But if I move money onto and off of my Apple Pay Cash card from/to other APC users is there a record of who made those transfers?

    Also, if I have money on my APC “card” and use that to purchase something, where does the the merchant get their money from? And can that purchase be traced back to me (assuming I didn’t use a loyalty card or something similar that would identify me). 
    Yes.  The merchant knows who you are... there is still a money trail. 
    Are you sure? The merchant does not get visibility to that information when using Apple Pay. Those transactions details are between you and the card issuer. 

    Edit: So if I pay using APC how would the merchant get my information?  Is an APC transaction using tokens like Apple Pay does? Who decrypts the token on behalf of the merchant?  I’m leaning toward it doesn’t work like that, that my APC transaction is handled by Discover on the back end, is still using a token and the merchant is basically out of the loop and just receives the money.

    That leads me to think that if I send you money via APC, Apple does the lifting but we are anonymous to them, Discover handles the actual moving of money but our identities may not be hidden from Discover. But I have no idea, just trying to figure it out.
    edited January 12
  • Reply 7 of 9
    I was sent $75.  It showed up as Apple Pay Cash.

    I then attempted to send $81 to someone else.  I only had my credit card information entered.

    Adding the $6 didn’t work.  I was required to enter another account to transfer money into Apple Pay Cash.

    My understanding was with sending money using Apple Pay you could send money using a credit card ‘as the source’ but you would be charged the credit card fee of 3% vs. nothing when using an ATM card. That doesn’t seem to be true...

    I also couldn’t transfer the $75 (Apple Pay Cash) to my credit card.

    I ordered an ATM card for my checking account.

    The point is with retailers Apple Pay only requires a credit card.  But using Apple Pay Cash requires another account to be entered.

    I was doing all this to test how it worked.  If I’m mistaken correct me.
    Take a look at this page on Apple support, it shows your exact scenario : https://support.apple.com/en-us/HT207875 While you can't add funds to Apple Pay Cash card via credit card you can send money from credit card but will incur a 3% fee. And you can send from both Apple Pay Cash card and Credit/Debit card as a split transaction. You can't transfer money from Apple Pay Cash card to credit/Debit card but you can transfer to your bank without fee. See this: https://support.apple.com/en-us/HT207882
  • Reply 8 of 9
    I believe the correct spelling is “rejiggered”.
  • Reply 9 of 9
    I believe the correct spelling is “rejiggered”.
    I believe you must be very fun at the American-only parties you attend.
    williamlondon
Sign In or Register to comment.