Sounds bloody insecure
Siri turn that shit off will you?
Apple will open up its new bonk-to-pay system to its newest phones, the iPhone 6 and iPhone 6 Plus, today, allowing fanbois to bonk shiny-shinys to purchase stuff online or at 220,000 stores. However, non-Americans need not cut up their cards just yet, because Apple Pay is only available Stateside and it is unclear when it …
If you haven't read about, which is fair enough, then what are you basing your security statement on? There is little to no information in the article explaining the process to be able to judge the security.
If you have read about it else where you you'd know that the credit card number is not sent when a payment is made, instead a 1 time use token is instead. This means that a retailer will never see your card number or CCV. The card information is stored in the same place as fingerprints, which has yet to be "broken in to". It's also backed up with fingerprint authorisation which will stop someone shoulder surfing then stealing your phone.
So what elements of that sound "bloody insecure"?
"The card information is stored in the same place as fingerprints, which has yet to be "broken in to"."
You should always say not yet known to have been broken into. You think if someone could do that they'd tell everyone? That would be a difficult thing to do, and so perhaps they might want to keep quiet about it.
By your own implication, the same logic thus applies to chip-and-pin, mag strips, other contactless, and pretty much every other electronic (or even non-electronic?) payment system ever invented. In which case, no news here, move along, go and troll some other random thing.
By your logic, chip-and-pin may already have been broken as well, but we just don't know it. Yet millions of people use that system every single day. You don't see mass panic or commentards shouting it down. So why with Apple Pay (or other contactless or whatever)? Pointless.
Indeed, surely the fact that with some of these new systems the vendor *doesn't* see your card details immediately makes them more secure in some areas than existing systems (i.e. no skimming)? Or am I missing something infallible about chip-and-pin?!
Actually, I suspect that Chip & PIN is significantly less secure than Apple Pay.
All you need is a compromised card reader (plenty of those have been deployed by criminal gangs) or someone looking over your shoulder to see the PIN. Neither of which is possible with Apple Pay.
OK, so let's say Apple's secure element is broken into. You're worried about someone gaining access to your credit card numbers? Such a thing has never happened before, what a disaster - you might be liable for up to $0 in fraudulent charges if that occurred!
Having your credit card numbers stored in POS systems all over, some of which may be pwned at this very moment and the breach not yet found is surely worse than having them stored in only one place (your phone) Well, two places, if you include your wallet.
The secure element is a totally separate CPU on the A7/A8 SoC, which communicates via a defined protocol to the main CPU. The bar to attack it is far higher than to attack the main CPU, so while it isn't impossible, it won't be easy.
Even if a viable attack for the secure element was found, a criminal who steals your phone needs to break into the phone first to perform whatever steps are required to break into the secure element. Yeah, like all fingerprint scanners Touch ID is far from foolproof, but is it really worth the criminal's time to bypass Touch ID, then break into the secure element, when his "prize" is a handful of credit card numbers, if the owner is using Apple Pay at all?
You can find credit card numbers by the thousands on pastebin, or by the millions on underground carder sites. Why risk getting caught trying to snag someone's phone - and if you are, why not steal their wallet which in addition to cards will also likely contain some cash!
Genuine question, and haven't been able to find out this information.
Does new/changed hardware need to be installed for the Apple Pay NFC to work, over and above our current NFC terminals in the UK. At the moment I use contactless payments in CO-OP, McDonalds, and a few other places. Can they accept Apple Pay just by a software update/deal or will they need new hardware?
I quite like it (contactless payments) for the convenience of small payments, just annoying that a lot of places still don't have it, and whilst I don't have (and probably won't have), and iPhone 6, etc will be good to get NFC payments in general into more places, so hopefully this move by Apple means I can use my NFC bank card in more places. Just can't find this information anywhere.
If Apple Pay is using Host Card Emulation, then it shouldn't be an issue. Google Wallet for Android versions 4.4 and up uses Host Card Emulation and will work fine at any terminal set up to accept the contactless card systems of the big boys (Visa, MasterCard, Discover, and American Express all have their own names for it but they're essentially the same). A Secure Element is not required on the phone to use Host Card Emulation, reducing the hardware requirements, and this may have been what's tipped Apple over the edge regarding NFC support.
I will concur that the number of places that accept contactless payments shrank recently as some places saw it as either a fading fad or a liability. Walmart as I understand has been steadfastly against the idea because they want more control over payment data. Neither Walmart, K-Mart, nor Target support contactless. Best Buy does but only to a limited extent. 7-Eleven, Wawa, and Burger King have all withdrawn support. So basically, Your Mileage May Vary.
If Apple Pay is using Host Card Emulation, then it shouldn't be an issue.
Apple Pay uses a Secure Element to store the card details, not Host Card Emulation (which is, essentially, a software only version of Secure Element).
Existing contactless terminals that retailers have will work just fine with NFC. However the payment processors (Visa and MasterCard for now) will need their tokenisation service up and running and Apple will need agreements in place with your card issuer (read "bank that gave you that credit or debit card") before you can have any hope of make a payment using it.
"Apple Pay uses a Secure Element to store the card details, not Host Card Emulation (which is, essentially, a software only version of Secure Element)."
Do we have confirmation of this? From past experience using the Galaxy S4 and so on, Secure Elements can be finicky and more trouble than they're worth (if the transaction chain breaks due to a reset or whatever, the Secure Element can't be reset easily). That's one reason Android 4.4 added Host Card Emulation so that it (1) wouldn't be necessary and (2) would be easier to fix should something go wrong. Since HCE is now the norm on Android, why would Apple stick to the SE?
No new hardware. The CIO of McDonalds has said: "Customers can already use the terminals to pay with Google Wallet, MasterCard's PayPass, Visa payWave and other contactless payment systems. The existing hardware and software will now support Apple Pay."
So it looks like it's just a software upgrade if anything.
Despite my happiness with my MacPro, iPhone and my iPad, this whole issue puzzles me.
"...register a card and then wave their iPhone 6 in front of a special near-field communication sensor and put their fingers over the mobe's fingerprint sensor..."
This is an improvement on putting card in machine and entering PIN when asked?
How?
Don't forget that, as far as I'm aware, the US doesn't have chip and pin, so it's miles above what they have over there.
As for in England, it will stop a waiter or bar staff skimming your card. If you lose your phone as opposed to your wallet and don't realise immediately, it will stop any dishonest people who find it using contactless payment to buy booze and fags or whatever they fancy that's less than £20.
Also, you just remote wipe your phone and you don't need to apply for new cards.
Other than that it's no improvement.
Also, you carry one phone instead of [n] cards. So less of the wallety fumblings.
And... you get to pretend you're some kind of consumerista James Bond, which will make you look devilishly cool as you saunter through the barriers with a quick thumb flick during the rush hour crush at Dollis Hill.
"As for in England, it will stop a waiter or bar staff skimming your card."
One of the things that has always put me off NFC to the point I just don't use it is the lack of authentication, even if the per transaction limit is small.
A genuine question; does anyone know if 'drive by' skimming is possible with credit/debit card based NFC? As in scammer with handheld NFC reader walks down a crowded street fishing for close proximity with a card in a wallet or handbag. Or is conventional skimming merely limited to lifting the data on the mag stripe for later use in a country that still uses them - i.e. the scammer isn't actually processing payments, so the same would apply to 'NFC skimming'?
"A genuine question; does anyone know if 'drive by' skimming is possible with credit/debit card based NFC? As in scammer with handheld NFC reader walks down a crowded street fishing for close proximity with a card in a wallet or handbag. Or is conventional skimming merely limited to lifting the data on the mag stripe for later use in a country that still uses them - i.e. the scammer isn't actually processing payments, so the same would apply to 'NFC skimming'?"
NFC's a bit more complicated than that. There has to be an exchange between the originator and the device. The originator has to send a signal that indicates it's a point of sale in order for a transaction to take place (if it's a tag type instead, something else happens). From what I understand, the card number used for this system is strictly for contactless and can't be used for other purposes. Furthermore, there's supposed to be some kind of nonce that's sent to the clearinghose to prevent replay attacks.
As a further safety measure, the NFC unit of most phones is inactive when the phone's asleep or locked, meaning the user has to wake up and/or unlock the phone for a transaction to take place.
Zapp is clearly the future.
It isn't really. For starters:
1. In order to make a payment to a merchant, you are going to need a data connection. Ever tried that when you're in a shopping centre? Either impossible or very sloooooow.
2. Assuming you have data, you'll need to log onto your banking app to authorise the payment. How long does that take you to do today? Do you need to use one of those stupid token things? Now imagine doing it for a cup of coffee, with one hand holding a bunch of bags, a bloke who wants to give you a hot beverage and 16 people behind you wanting you to bugger off because they want to pay for their item.
"...you are going to need a data connection. Ever tried that when you're in a shopping centre?"
Or airport. Stansted this morning; Voda ping 600, downstream 300kbps, or Three ping 400, downstream 450kbps, both very intermittent. Log into the bank to buy coffee? No thanks!
Uptake's been a touch slow for two reasons:
1) Supported phones were pretty low at first. Due to card company recalcitrance, you not only needed the right phone but the right network, too, which kinda sucked. When the S4 came out, card companies allowed it because of the Secure Element, but Google managed to leverage more leeway bit by bit. When Android 4.4 came out and Host Card Emulation, the number of supported devices jumped since the implementation was now independent of network or the Secure Element. More or less, if a device had a compatible NFC unit and could run 4.4, it could now support Wallet (shame it can't be backported; there are more NFC-enabled Android devices you could support if you could).
2) Retailers have started getting a touch wary about contactless payments. Fears of data skimming and hacking have them wondering if they should be covering their butts. Combined with the slow uptake, some places that once accepted contactless are now dropping it.
From what I've read, ApplePay sounds like a very clever system, and more secure than GoogleWallet.
I used GoogleWallet in the UK once (Subway sandwiches), when you could spoof your location (you had to be in the US), and be granted access to the app. It worked well.
Really, I'd be happy with either. The idea of a properly digital wallet which I could use most places is appealing. Hopefully Apple will speed up the process of getting NFC Payments to work in more countries.
Picture the scene: it's a little past midnight on a Friday night. You and your friends are just finishing up on a nights boozing with a curry and a few more pints. You come to pay the bill, and whip out your trusty iPhone so you can amaze your friends by paying by bonk.
You press the home button to wake the phone, but find that your battery's flat, which you'd have expected if you hadn't been so pissed...