thanks Apple, now I'm living the dream!
You made my life so much better, now I'm rolling in cash.
A true innovation :)
laterz xx
Apple and its banker pals may have inadvertently lowered the barrier to credit card fraud by adding pay-by-wave technology to iPhones, security experts fear. Payment cards can be added to Apple Pay by taking a photo of the card, and allowing a device to run optical character recognition over the image to fill out the long card …
Blame the banks not Apple. Their lax security procedures are to blame.
Sadly that won't stop the Anti Apple brigade who lurk here from having a field day.
Just remember that the article does say the Google Wallet etc will also suffer from this problem.
Did I hear............"Anti Apple" ???
Apple is equally to blame, they are the enabler. They signed up with these banks, they know how the banks operate, they go along with it for profit. Remember, this is "Apple Pay", not "$BANK_NAME Pay". What, you give a kid matches and you have no blame for the fire?
As far as the article goes, Avivah Litan is way, way, WAY out of the loop. If he ever thought that having just the details was NOT enough, he clearly never read about #CC on Efnet or all the various versions of paypal's ability to add anyone's e-mail to anyone's account (countless other sites work too).
But, I came for Anit Apple....stay focused! Apple pretends it's now cool to pay with credit cards via the internet. If they would of waited longer than 20+ years, they might of missed the window.
"Is entrusting credit card verification to banks as irresponsible as giving a child matches?"
..........it would appear so. Although I also do not have much time for the fact that:
" These numbers can be entered manually, so physical access to a card is not needed."
........was something that Cupertino failed to notice was not the smartest thing that they could be associated with.
In short, neither the (w)bankers or the fruity company have exactly covered themselves with intellectual glory on this occasion.
Although the banks are playing their part, Apple Pay is allowing a photo of a credit card to be used indefinitely as a payment option.
The banks shouldn't be allowing it, but Apple Pay isn't being blocked by the banks either - so presumably Apple Pay are doing something in order to allow this situation to occur.
If Apple are relying on the banks to authorise the transaction, they are still storing all that data and - presumably, like Amazon - taking the liability on it to an extent. Notice that Amazon don't put you through the Visa/MasterCard secure schemes where you have to type in codes and verify to the source bank - they are storing your information for 1-click and then taking the hit on fraud themselves.
Presumably, Apple are doing the same here OR have negotiated their way out of liability with the banks.
Seriously, people, all that Chip-and-PIN stuff that the EU fought for for years? It's worthless here. We're still doing transactions with just the card number. Do they even use the CCV code on the back of the card?
If the number is enough (and it appears so for Amazon and Apple Pay) then the Chip & PIN stuff is worthless, even if the liability is shifted from the card issuer to the retailer. If the number isn't enough, Apple Pay wouldn't be able to operate as they are doing - and nor would Amazon. If the number is enough but liability is pushed to Apple, then it's partly Apple's fault for allowing this to happen for the sake of simpler business processes.
I wouldn't really compare Apple Pay with Amazon in their use of number only.
With Amazon you have to have an account, perhaps with dodgy details but you do typically need to get stuff delivered somewhere (well except the digital stuff though I doubt crims would bother with stuff they couldn't fence). With Apple Pay you can walk into a store, buy real stuff and walk out without anyone the wiser about who you really are.
This post has been deleted by its author
If the bank sent a snail mail letter to the account holders address with a code attached, then the owner of the card would a) know it was stolen and b) be able to prevent the card been added to apple pay. If the hacker wants to get round this then they need to intercept the letter. At which point it's no longer a remote attack.
Goddammit! The social security number is not to be used for identification purposes other than by the social security administration. How many times do the witless f*ckers in banking IT need to have that screamed at them? And then, having decided to ignore that stricture, to only use less than half the digits?
Jesus f*cking Christ on a bike.
How in f*ck's name could this level of stupid be deployed in this day and age in light of what we as an industry have learned regarding electronic banking and the methods to subvert them?
To paraphrase the short guy from Game of Thrones:
Hands. Coal hammers.
Maybe that is the scam! A way for apple to bring those billions back into the USA and avoid tax?
Apple agents would also be the "scamming party" that scams Apple. The foreign fund holding division would make a loss as it refunds fraudulent payments in the USA from foreign held funds.
Someone else work out the detail for me.
In what alternate universe are Social Security Numbers "guaranteed to be unique"?
Not in this one they ain't. I work at the sharp end of this and can state from actual knowledge gained at the expense of much pain, suffering and cries of "why me?" that the SSN is far from being guaranteed unique.
Even if you discount the possibility of fraudulent SSN coinage, latency in the SSA's system can cause perfectly legitimate applications to be granted the same number, or could, 15 years ago. To design systems that use SSN as a unique identifier is to be shown to be the sort of IT professional who should be forced to wear very large shoes on their feet and a red rubber ball on their nose.
I would hope that the latency issues have been addressed in the 15 years since I last investigated this, but nowhere will you find a statement to the effect that the SSN may be used by every Tom, Dick and Harry as a unique identifier without let or hindrance.
Precisely! These banks take the piss. I worked for an investment bank a few years ago... 2 days after starting I recievied an email from my manager telling me to put all my passwords in the Macro enabled Excel spreadsheet that was attached and upload to an SMB Share for "backup purposes". No S/MIME, nothing.
I resigned the following week. Pathetic.
The implantation has, shall we say, issues. So the crooks are using the iPhone to rip-off Apple in order to rip-off banks, private citizens, etc. The poetic is using a product to rip off the maker.
The problem still boils down to the banks. IF they were serious, you'd take your phone and proper ID into the bank for verification. But that might inconvenience some users, right. It also, wouldn't let the bank off the hook when it's bailout time. Once again, users/taxpayers/honest citizens are screwed by the few and the mighty.
In the past, they have not been afraid to dictate to both users and companies alike, exactly how they are to do business with Apple.
If Apple release this form of payment method, without demanding a high threshold of identification and verification parameters to be able to use this service, they they are just as much to blame as the banks.
And yes, I would say the exact same thing about google wallet if they allow such lax measures to be used for verification.
ApplePay is far more secure than carrying your credit card around in your wallet. It is far less likely for fraud due to the inbuilt security mechanisms.
However, fraudsters will always try different ways - and these apply to any contactless payment, not just ApplePay (just Apple is so visible, putting Apple in a headline makes for a good headline).
If fraudsters access a retail vendor's server database it is the fault of the vendor who are in turn a victim of the fraudsters.
However, loading it on to a smart phone is a risk to the fraudster since it is more likely to be tracked (as in Find My iPhone). Maybe those anti-fraud measures are not in place at the moment, but it is easy to see that the backend could be tightened up in this way. No need for FUD against ApplePay, thanks.
I dont get how Apple Pay is more secure than carrying your credit card in your pocket.
With my card, its a physical card, it has my signature, chip and a PIN number to verify that it is in fact me using a physical card.
With Apple Pay, the physical card is not present. It looks like all you need is a PHOTO of the card to load it into Apple Pay, and the SSN's last four digits.
To compare, that would be like me giving the card to a friend along with the PIN number and telling them to go buy something for me.
I'm sure all contactless payment systems may have the same problem, although it seems that Paypal and Google Wallet may not have had it to this extent. This could be either due to Google's registration process or through low usage. I dont know how rampant fraud was with GW.
I guess "ease of use" and "ease of fraud" go hand in hand
"I dont get how Apple Pay is more secure than carrying your credit card in your pocket.
With my card, its a physical card, it has my signature, chip and a PIN number to verify that it is in fact me using a physical card."
The physical card can easily be stolen. If they steal your iPhone, they need your finger print to access the credit information. ApplePay is more secure than physical cards.
"I guess "ease of use" and "ease of fraud" go hand in hand"
No that is absolutely not true.
It can also easily be cloned. All that data in the magnetic strip and onboard chip is very poorly protected and duplicating it all onto a blank card is child's play once you've got a copy of the data. The only bit that's not easily copied is the signature, and any competent fraudster should know how to forge a signature too. Not that anyone ever looks at the signature on the card any more, even when it's not a CNP transaction.
Got any references to this? You can't just read it via NFC, the chip is a tiny CPU and contains a private key you can't access. OK, you can probably use an electron microscope to read the chip if you know what you're doing and, you know, have an electron microscope, but if you're able to do that you can probably commit some more lucrative crimes instead of wasting your talents on card cloning.
"I guess "ease of use" and "ease of fraud" go hand in hand"
I'll address that another way - making systems hard to use is security by obscurity and that is known not to be a good security strategy. Excellent security systems are also simple and provide ease of use. Apple has really excelled on that count with ApplePay.
Since Apple Pay is only in the US, you need to realize that in the US there is no "chip" and no "PIN" on a credit card number. It is processed with your signature alone. They'll take ANY scribble at all, they don't look at it and never check the signature on your card - I can say that for sure since I've never signed my cards! When you sign for a charge in person, it is considered "card present". If you phone in or web in an order there isn't a signature, so they ask for the three digit "security" code that's on the back of your card but not encoded in the mag stripe. That's "card not present" and the retailer pays a bigger cut for that type of transaction since fraud is more prevalent.
What the article is talking about is that getting someone's card number is enough to enter it into Apple Pay, and those transactions are considered "card present". I suppose they could bump up the security a tiny bit making you enter the three digit code so you have to actually have the card (in theory) but that's not going to help much since such info is readily available from all the online retailers that have their databases cracked and contain millions of customer card numbers & codes.
The best solution is what someone suggested above. In order to activate Apple Pay, the credit card company has to send you a snail mail letter to your billing address with a code that needs to be entered to activate the card in Apple Pay. That would make it less convenient and get rid of the instant gratification, but it would avoid the possibility of card numbers stolen online being used in this manner.
I disagree somewhat with your conclusion there...
I'd be interested in a quick straw-poll of the commentators on here to see how many have actually used Apple Pay.
I'd be willing to wager I'm one of the few. I use Wells Fargo for my main credit/debit cards. When I got an iPhone 6 (in the UK incidentally), part of the setup noticed that the cards were iPay compatible, and would I like to use them. Once I'd done that I got an email from Wells Fargo telling me that someone had asked to add them to an Apple ID for use with iPay (I forget if it included the account details/phone #, but I'm due a new credit card soon, so I'll report back if I remember). I had to sign into the online banking, and run through additional security procedures before Wells Fargo would authorize the cards to be used with my iPhone (more than just the username/password to get into the online banking). Because the wife hadn't used her online banking in a long time, the bank actually insisted that she called up
Another thought too, they'd have to be a fairly well heeled criminal to do this, as I'm sure if the transactions were flagged as suspect, then you'd lose the apple account and (one would assume) the iPhone attached to it...
I dont get how Apple Pay is more secure than carrying your credit card in your pocket
But you don't just carry the card in your pocket, do you. You get it out and, typically, stick it into a reader where you start typing your PIN. Your PIN can easily be sniffed by someone watching over your shoulder, or putting the card in a compromised reader. Your card/PIN can be cloned and used quite happily in parts of the world where they don't use Chip & PIN yet.
Apple Pay uses secure tokens to ensure that your credentials are never divulged to anyone. Ergo: more secure.
"Apple Pay uses secure tokens to ensure that your credentials are never divulged to anyone. Ergo: more secure."
That's exactly right Mike. When you put a credit card in a reader, your numbers can be skimmed. With ApplePay, the iPhone does the job of the reader, validates you by your finger print, only unique numbers to do with the transaction are passed to the bank encrypted.
Much safer than using your credit card. These stories really are FUD against ApplePay (and by that I could probably say Google Wallet and others).
In the US they still use magnetic stripes and not even on-card chips, which are much harder to copy than mag stripes. So the US is way behind in security.
Some years ago back in the mid 1990s I met with credit card companies on a project that was being developed. There were two issues then, limited imagination and the huge cost and near impossibility of adding security functionality to the streaming processes then used. I am pretty sure that number two still exists and we can see (1) being exhibited now. I am amazed that people were not aware that all this talk of 'very secure', is frankly hog wash - it is with all systems. Make a more secure anything and people will look for the easy way round the security. This is no exception. I suspect that the first error was to major all efforts on one device/method of initial verification. After that it was to allow a basically insecure method to 'verify' the voracity of the set up. If you do not employ a bit of lateral thinking and periodic re-verification your security will be breached. This is a consumer product so one perceived need is an easy ride for the user, but easy rides always come with costs.- The CVC code is pretty weak, and even the secondary card not present checks are not hugely strong but at least they are better and can be updated if/when needed via an established route.
Frankly I do not care who allowed this to come about, the banks, apple, the man in the moon, or whoever, it makes no difference. It is still like making a secure vault with thick walls and armoured locks and having an unsecured air-conditioning duct or a plywood roof (it's safe at 10 feet off the ground). The product is end to end and the weakness is where ever and when ever it is found.
The risk to the well organised fraudster is zero, phone cost is a few units of currency, (probably paid for with a stolen card), load it, use it for a few days make money, dump phone, bingo.
An article about bankers and lax controls around money. Who'd have thought the very people entrusted with our hard earned dough would overlook things like proper security. Only a few million in losses you say? Lol. Let us know when it's reached billions. That'll be a story and likely when bankers actually do something.
As nicely pointed out by Bruce Schneier a while ago (https://www.schneier.com/crypto-gram/archives/2005/0415.html#2), until the financial institutions are held accountable for fraud, there won't be an incentive for them to build proper user data protection and identity verification.
In this case Apple should take some share of responsibility but it seems their mechanism is reasonably safe, and far above what banks are doing.
The Bank of England have been slammed that their new banknotes allow rampant fraud, banking experts are claiming.
The problem is that whilst the notes themselves contain various security measures and are hard to copy, banks are being lazy and not checking the notes presented to them carefully enough and consequently are allowing people to deposit Monopoly money.