How Apple Pay is designed to avoid the pitfalls of traditional payment systems

13

Comments

  • Reply 41 of 73
    icoco3icoco3 Posts: 1,459member
    Quote:
    Originally Posted by AppleInsider View Post



    ...

    How Apple Pay is different

    ...

    With Apple Pay, rather than receiving a card number, CVV, expiration date, and billing address from the customer, the merchant receives only a device-specific token and a dynamic, one-time-use security code. The token is translated into a credit card number only when it reaches the payment network, meaning that only the consumer's bank and the payment network have information about both the person and the transaction.



    Apple has gone to great lengths to tout Apple Pay's security and privacy bona fides, both on the Apple Pay marketing site and in the company's knowledge base. As they say:

     
    Apple Pay was designed so that when you pay in stores Apple doesn't collect any transaction information that can be tied back to you.

    This focus on privacy differentiates Apple Pay not only from the current physical credit card system, but also from competing mobile payment platforms.

     

     

    Quote:
    Originally Posted by bradipao View Post



    Where is located the database that maps tokens to credit card numbers? Phone or apple servers?

     

    Your answer was in the article as highlighted above.

  • Reply 42 of 73
    gatorguygatorguy Posts: 20,904member
    danite wrote: »
    I wonder why they changed their name? Was it a branding problem of some kind?

    No it was the association some people made with the "terrorist" group ISIS.
  • Reply 43 of 73
    davendaven Posts: 538member

    An overlooked benefit to the retailer is that if their system is hacked, the hackers only have access to meaningless data that can't be reused or associated with an individual. There is no value in the data once the transaction is completed.

  • Reply 44 of 73
    daven wrote: »
    An overlooked benefit to the retailer is that if their system is hacked, the hackers only have access to meaningless data that can't be reused or associated with an individual. There is no value in the data once the transaction is completed.

    Correct. Retailer failure to implement adequate security measures virtually ensues success for Apple Pay.
  • Reply 45 of 73
    jungmarkjungmark Posts: 6,709member
    Apple is big, but not big enough to force the big banks and CC companies to adopt their system.
    .

    According to the DoJ, it is big enough to force the publishers to raise prices. Can't wait until Amazon gets in on the NFC and then get the DOJ to investigate Apple.
    gatorguy wrote: »
    No it was the association some people made with the "terrorist" group ISIS.

    Why is terrorist in quotes?
  • Reply 46 of 73
    mike1mike1 Posts: 1,911member

    Amazing what happens when you actually step back and think through the entire process. Looking forward to using this.

  • Reply 47 of 73
    Quote:

    Originally Posted by DaveN View Post

     

    An overlooked benefit to the retailer is that if their system is hacked, the hackers only have access to meaningless data that can't be reused or associated with an individual. There is no value in the data once the transaction is completed.


     

    This cannot be stated enough.

     

    You can't be phished for your Apple Pay credentials through any online scam. Nor can you lose your credentials if someone is "monitoring" the networks and trying to intercept your transaction (whether it's at the NFC terminal itself or through the connection from the POS terminal to the bank). Even the more sophisticated hackers who "modify" POS terminals (as has happened here in Vancouver) can't get any useful data.

  • Reply 48 of 73
    gatorguygatorguy Posts: 20,904member
    jungmark wrote: »
    According to the DoJ, it is big enough to force the publishers to raise prices. Can't wait until Amazon gets in on the NFC and then get the DOJ to investigate Apple.
    Why is terrorist in quotes?

    While here in the US most would consider them terrorists they may not be looked at that way everywhere.

    EDIT: There's no doubt in my mind that they should be classified as terrorists. Thanks TS.
  • Reply 49 of 73
    gatorguy wrote: »
    No it was the association some people made with the "terrorist" group ISIS.
  • Reply 50 of 73
    Originally Posted by Gatorguy View Post

    While here in the US most would consider them terrorists they may be looked at that way everywhere.

     

    I don't see how the mass slaughter of innocents because they don't agree with you ? terrorist.

  • Reply 51 of 73
    Do you think?
  • Reply 52 of 73
    Quote:

    Originally Posted by brucemc View Post

     

    Surprising this fact isn't getting more coverage.  By having a biometric with a secure storage, Apple has eliminated one of the weakest links in the chain - the users themselves.  Whether it is by choosing a simple PIN/password, or falling for phishing scams, the user is the easiest to compromise (see: celebrity pic scandal).  With TouchID & secure element storage, a user simply can't make those mistakes.  Should be a huge leap forward on improved security in payments (brick & mortar, and on-line).

     

    Tying that biometric & secure storage into the payment solution requires control of the HW, software, and services.  I believe only one company can do that right now.


     

    This is actually my greatest area of concern. In access control, there are two major types of authentication errors associated with biometric devices: the False Reject Rate (FRR, Type I) and False Accept Rate (FAR, Type II). Obviously the FAR is much more of a concern since we're allowing someone in that doesn't belong. 



    If it's easy to fool the biometric sensor on the iPhone 6 [Plus], then that's the greatest weakness of this entire system. (I'm not saying it is easy to fool, I'm just saying it's potentially the biggest problem.) I haven't seen much information about iPhone 6 [Plus] and its biometric accuracy yet -- but it definitely would be interesting to look into.

     

    Either way this system is still far more secure, by design, than magstripe cards.

  • Reply 53 of 73
    calicali Posts: 3,495member
    mehran wrote: »

    Remember, Apple is not rolling out ApplePay so I doubt if Apple will do anything beyond providing the capability and some marketing.  It is the credit cards or large merchants that will do the rollout.  I hope Apple is working on international rollout such as Europe where NFC has more widely rolled out.
  • Reply 54 of 73
    jungmarkjungmark Posts: 6,709member
    gatorguy wrote: »
    While here in the US most would consider them terrorists they may be looked at that way everywhere.

    Beheading hostages due to politics is not an act or terrorism?

    Threatening death to those that disagree with them is not an act of terrorism?
  • Reply 55 of 73
    Originally Posted by Mehran View Post

    Remember, Apple is not rolling out ApplePay...

     

    ...what?

     

    Originally Posted by jungmark View Post

    Beheading hostages due to politics is not an act or terrorism?



    Threatening death to those that disagree with them is not an act of terrorism?

     

    Note that our questions are not directed at you, Gatorguy, but at anyone who would not condemn IS in that regard. Makes you wonder about their intentions.

  • Reply 56 of 73
    calicali Posts: 3,495member
    mazecookie wrote: »
    Absolutely. Apple has been deliberately hyping banks, retailers and apps as a thank you for participating, and as a reason for others to get on board - for the coverage. Not only that, but Apple will most definitely be either upgrading the initial participating retailers POS terminals free of charge, or be subsidising the cost to push the adoption as fast as possible.

    I'm still upset the new iPads don't accept ?Pay-ments. Talk about a lost opportunity.
  • Reply 57 of 73
    cali wrote: »
    I'm still upset the new iPads don't accept ?Pay-ments. Talk about a lost opportunity.

    You can make payments online with Apple Pay and the new iPads. There's no NFC chip, so no, you cannot hold your iPad up to a terminal at retail.
  • Reply 58 of 73
    maestro64maestro64 Posts: 4,642member
    Quote:

    Originally Posted by Misa View Post





    ... pending banks getting on board.



    Canada and Europe have chip+pin, and we also have NFC already. So if the NFC terminals need to be updated to support Apple Pay, there might be some balking at having to cycle the hardware out yet again, but we've had chip+pin terminals long before chip+pin was rolled out. In fact (in Canada) we had CIBC/Amex try to roll out a chip card more than a decade before EMV chip+pin actually got forced on everyone.



    The thing is, chip+pin and NFC payments as they are currently in Canada and Europe, don't work like US payment systems work. Even Canadian banks that own American Banks (BMO, TD) aren't rolling out Apple Pay at their Canadian banks. The systems are all internally different. In a sense, when you use BMO in Canada with your US debit card, it's being treated as a cash advance on a credit card, and you can't actually access the US bank account to withdraw "US cash"



    So this is why there will obviously be problems with Apple Pay being rolled out in Canada and Europe, because we have different debit card systems, and the banks have their own proprietary solutions they would rather you use.

    http://www.iphoneincanada.ca/news/td-bank-cio-apple-pay/

    In a technical sense Apple Pay is more secure than chip+pin, as it uses a biometric "PIN", and Apple never stores the card number in the device (like Google does.)

    It will be interesting to see what happens, I know in Canada they tend to fight against anything that appears to be US centric, They fought again DirecTV unless they include Canada specific programming, hell they did not like that Canada's living close to the US boarder could pick up US TV stations.

     

    The issue at hand is the fact that Visa, Master Card and Amex are all used world wide and many times a US card hold gets their CC # stolen when they travel outside the US more time than with in the US. I remember a time when I use to have to call my CC company and tell them I plan to travel outside the US just so they did not shut my card off when an international charge showed up.

     

    Yeah Canadian banks may not jump on, but if they issue a Visa or Master Card they maybe force to comply to their wishes if they do not want to deal with the fraud. This is not going to be an over night thing, This is just the first step in what is to come in the next 5 yrs. Also this is not going to be a 100% coverage things since there will still be a large majority of people who are not iphone users.

  • Reply 59 of 73
    iaeeniaeen Posts: 588member
    Quote:

    Originally Posted by RoboNerd View Post

     

     

    This is actually my greatest area of concern. In access control, there are two major types of authentication errors associated with biometric devices: the False Reject Rate (FRR, Type I) and False Accept Rate (FAR, Type II). Obviously the FAR is much more of a concern since we're allowing someone in that doesn't belong. 



    If it's easy to fool the biometric sensor on the iPhone 6 [Plus], then that's the greatest weakness of this entire system. (I'm not saying it is easy to fool, I'm just saying it's potentially the biggest problem.) I haven't seen much information about iPhone 6 [Plus] and its biometric accuracy yet -- but it definitely would be interesting to look into.

     

    Either way this system is still far more secure, by design, than magstripe cards.




    TouchID has been around for a little over a year now. In the beginning, there was a group that claimed they could beat it using sophisticated and expensive equipment, but they never released solid proof that they succeeded. Otherwise, there has been no hint that it can be defeated, and I doubt that was for a lack of trying.

     

    In any case, they would need to have physical access to your phone as well as a copy of your fingerprint to duplicate before they could make any purchases. By the time they managed to get it all together, a smart person would have already de-authorized the phone through iCloud.

     

    Any way you look at it, this is much better than credit cards where they only need to have your card, and they can do whatever the hell they want.

  • Reply 60 of 73
    lantznlantzn Posts: 240member
    Anyone else wonder why SoftCard change their name from ISIS.
    lol
Sign In or Register to comment.