back to article Hey, iPhone 6 fanbois: Apple's bonk to 'Pay' app IS GO

Apple will open up its new bonk-to-pay system to its newest phones, the iPhone 6 and iPhone 6 Plus, today, allowing fanbois to bonk shiny-shinys to purchase stuff online or at 220,000 stores. However, non-Americans need not cut up their cards just yet, because Apple Pay is only available Stateside and it is unclear when it …

  1. Tom 7

    Sounds bloody insecure

    Siri turn that shit off will you?

    1. Gary Riches

      Re: Sounds bloody insecure

      If you haven't read about, which is fair enough, then what are you basing your security statement on? There is little to no information in the article explaining the process to be able to judge the security.

      If you have read about it else where you you'd know that the credit card number is not sent when a payment is made, instead a 1 time use token is instead. This means that a retailer will never see your card number or CCV. The card information is stored in the same place as fingerprints, which has yet to be "broken in to". It's also backed up with fingerprint authorisation which will stop someone shoulder surfing then stealing your phone.

      So what elements of that sound "bloody insecure"?

      1. DavCrav

        Re: Sounds bloody insecure

        "The card information is stored in the same place as fingerprints, which has yet to be "broken in to"."

        You should always say not yet known to have been broken into. You think if someone could do that they'd tell everyone? That would be a difficult thing to do, and so perhaps they might want to keep quiet about it.

        1. steamrunner

          Re: Sounds bloody insecure

          By your own implication, the same logic thus applies to chip-and-pin, mag strips, other contactless, and pretty much every other electronic (or even non-electronic?) payment system ever invented. In which case, no news here, move along, go and troll some other random thing.

          By your logic, chip-and-pin may already have been broken as well, but we just don't know it. Yet millions of people use that system every single day. You don't see mass panic or commentards shouting it down. So why with Apple Pay (or other contactless or whatever)? Pointless.

          Indeed, surely the fact that with some of these new systems the vendor *doesn't* see your card details immediately makes them more secure in some areas than existing systems (i.e. no skimming)? Or am I missing something infallible about chip-and-pin?!

          1. Mike Bell

            Re: Sounds bloody insecure

            Actually, I suspect that Chip & PIN is significantly less secure than Apple Pay.

            All you need is a compromised card reader (plenty of those have been deployed by criminal gangs) or someone looking over your shoulder to see the PIN. Neither of which is possible with Apple Pay.

        2. Anonymous Coward
          Anonymous Coward

          @DavCrav

          OK, so let's say Apple's secure element is broken into. You're worried about someone gaining access to your credit card numbers? Such a thing has never happened before, what a disaster - you might be liable for up to $0 in fraudulent charges if that occurred!

          Having your credit card numbers stored in POS systems all over, some of which may be pwned at this very moment and the breach not yet found is surely worse than having them stored in only one place (your phone) Well, two places, if you include your wallet.

          The secure element is a totally separate CPU on the A7/A8 SoC, which communicates via a defined protocol to the main CPU. The bar to attack it is far higher than to attack the main CPU, so while it isn't impossible, it won't be easy.

          Even if a viable attack for the secure element was found, a criminal who steals your phone needs to break into the phone first to perform whatever steps are required to break into the secure element. Yeah, like all fingerprint scanners Touch ID is far from foolproof, but is it really worth the criminal's time to bypass Touch ID, then break into the secure element, when his "prize" is a handful of credit card numbers, if the owner is using Apple Pay at all?

          You can find credit card numbers by the thousands on pastebin, or by the millions on underground carder sites. Why risk getting caught trying to snag someone's phone - and if you are, why not steal their wallet which in addition to cards will also likely contain some cash!

    2. Ian Joyner Bronze badge

      Re: Sounds bloody insecure

      Stop trying to spread FUD and do a proper analysis.

  2. Stretch

    Fuck off Apple. Just. Fuck. Off.

    1. TheProf

      Always nice to read a cogent opinion.

    2. Steve Davies 3 Silver badge

      re: your comment

      So don't use Apple

      You have a choice. It is not as if anyone is forcing you to buy their products.

      1. Stretch

        Re: re: your comment

        forced to hear about them all fucking day though and having fucking idiotic fanbois cunts with mental fucking disability spouting how great they are.

        I repeat. And I believe to be total cogent btw. Just. Fuck. Off. And die maybe. I'll take that too.

    3. Ian Joyner Bronze badge
  3. MJG

    POS upgrades?

    Genuine question, and haven't been able to find out this information.

    Does new/changed hardware need to be installed for the Apple Pay NFC to work, over and above our current NFC terminals in the UK. At the moment I use contactless payments in CO-OP, McDonalds, and a few other places. Can they accept Apple Pay just by a software update/deal or will they need new hardware?

    I quite like it (contactless payments) for the convenience of small payments, just annoying that a lot of places still don't have it, and whilst I don't have (and probably won't have), and iPhone 6, etc will be good to get NFC payments in general into more places, so hopefully this move by Apple means I can use my NFC bank card in more places. Just can't find this information anywhere.

    1. Charles 9

      Re: POS upgrades?

      If Apple Pay is using Host Card Emulation, then it shouldn't be an issue. Google Wallet for Android versions 4.4 and up uses Host Card Emulation and will work fine at any terminal set up to accept the contactless card systems of the big boys (Visa, MasterCard, Discover, and American Express all have their own names for it but they're essentially the same). A Secure Element is not required on the phone to use Host Card Emulation, reducing the hardware requirements, and this may have been what's tipped Apple over the edge regarding NFC support.

      I will concur that the number of places that accept contactless payments shrank recently as some places saw it as either a fading fad or a liability. Walmart as I understand has been steadfastly against the idea because they want more control over payment data. Neither Walmart, K-Mart, nor Target support contactless. Best Buy does but only to a limited extent. 7-Eleven, Wawa, and Burger King have all withdrawn support. So basically, Your Mileage May Vary.

      1. Silver

        Re: POS upgrades?

        If Apple Pay is using Host Card Emulation, then it shouldn't be an issue.

        Apple Pay uses a Secure Element to store the card details, not Host Card Emulation (which is, essentially, a software only version of Secure Element).

        Existing contactless terminals that retailers have will work just fine with NFC. However the payment processors (Visa and MasterCard for now) will need their tokenisation service up and running and Apple will need agreements in place with your card issuer (read "bank that gave you that credit or debit card") before you can have any hope of make a payment using it.

        1. Charles 9

          Re: POS upgrades?

          "Apple Pay uses a Secure Element to store the card details, not Host Card Emulation (which is, essentially, a software only version of Secure Element)."

          Do we have confirmation of this? From past experience using the Galaxy S4 and so on, Secure Elements can be finicky and more trouble than they're worth (if the transaction chain breaks due to a reset or whatever, the Secure Element can't be reset easily). That's one reason Android 4.4 added Host Card Emulation so that it (1) wouldn't be necessary and (2) would be easier to fix should something go wrong. Since HCE is now the norm on Android, why would Apple stick to the SE?

    2. Gary Riches

      Re: POS upgrades?

      No new hardware. The CIO of McDonalds has said: "Customers can already use the terminals to pay with Google Wallet, MasterCard's PayPass, Visa payWave and other contactless payment systems. The existing hardware and software will now support Apple Pay."

      So it looks like it's just a software upgrade if anything.

  4. Ted Treen
    WTF?

    I'm baffled...

    Despite my happiness with my MacPro, iPhone and my iPad, this whole issue puzzles me.

    "...register a card and then wave their iPhone 6 in front of a special near-field communication sensor and put their fingers over the mobe's fingerprint sensor..."

    This is an improvement on putting card in machine and entering PIN when asked?

    How?

    1. Gary Riches

      Re: I'm baffled...

      Don't forget that, as far as I'm aware, the US doesn't have chip and pin, so it's miles above what they have over there.

      As for in England, it will stop a waiter or bar staff skimming your card. If you lose your phone as opposed to your wallet and don't realise immediately, it will stop any dishonest people who find it using contactless payment to buy booze and fags or whatever they fancy that's less than £20.

      Also, you just remote wipe your phone and you don't need to apply for new cards.

      Other than that it's no improvement.

      1. TheOtherHobbes

        Re: I'm baffled...

        Also, you carry one phone instead of [n] cards. So less of the wallety fumblings.

        And... you get to pretend you're some kind of consumerista James Bond, which will make you look devilishly cool as you saunter through the barriers with a quick thumb flick during the rush hour crush at Dollis Hill.

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm baffled...

        "As for in England, it will stop a waiter or bar staff skimming your card."

        One of the things that has always put me off NFC to the point I just don't use it is the lack of authentication, even if the per transaction limit is small.

        A genuine question; does anyone know if 'drive by' skimming is possible with credit/debit card based NFC? As in scammer with handheld NFC reader walks down a crowded street fishing for close proximity with a card in a wallet or handbag. Or is conventional skimming merely limited to lifting the data on the mag stripe for later use in a country that still uses them - i.e. the scammer isn't actually processing payments, so the same would apply to 'NFC skimming'?

        1. Charles 9

          Re: I'm baffled...

          "A genuine question; does anyone know if 'drive by' skimming is possible with credit/debit card based NFC? As in scammer with handheld NFC reader walks down a crowded street fishing for close proximity with a card in a wallet or handbag. Or is conventional skimming merely limited to lifting the data on the mag stripe for later use in a country that still uses them - i.e. the scammer isn't actually processing payments, so the same would apply to 'NFC skimming'?"

          NFC's a bit more complicated than that. There has to be an exchange between the originator and the device. The originator has to send a signal that indicates it's a point of sale in order for a transaction to take place (if it's a tag type instead, something else happens). From what I understand, the card number used for this system is strictly for contactless and can't be used for other purposes. Furthermore, there's supposed to be some kind of nonce that's sent to the clearinghose to prevent replay attacks.

          As a further safety measure, the NFC unit of most phones is inactive when the phone's asleep or locked, meaning the user has to wake up and/or unlock the phone for a transaction to take place.

      3. Charles 9

        Re: I'm baffled...

        "Don't forget that, as far as I'm aware, the US doesn't have chip and pin, so it's miles above what they have over there."

        Not YET. Transition is in progress and will probably take about a year or two.

  5. Velv
    Gimp

    Not even available in Apple Stores in the UK?

    If you can't get your own house in order its a pretty poor show.

    1. Anonymous Coward
      Anonymous Coward

      Patience

      Patience grashopper, patience.

      When all the agreements with the banks and merchants are in place I am sure it will be coming to a store near you. Besides we should rejoice that we are letting the Yanks field test this and not us.

  6. Anonymous Coward
    Anonymous Coward

    So in summary

    Apple launches a "me too" US-only, 200k stores alternative to the US-only Android Google Wallet, that's been out 2 years and works in all stores that have NFC readers...

    OK then...

    1. Mike Bell

      Re: So in summary

      Do you ever read stuff on the internet?

    2. Anonymous Coward
      Anonymous Coward

      Re: So in summary

      Not quite "me too"...

      I'll wager that this gets more traction in the next few months leading to Xmas then GW has had in the past 2 years

  7. Anonymoist Cowyard
    Megaphone

    Zapp is clearly the future.

    But it seems someone is still trying to stop it (presumably because they lose their "cut")

    1. Silver

      Re: Zapp is clearly the future.

      Zapp is clearly the future.

      It isn't really. For starters:

      1. In order to make a payment to a merchant, you are going to need a data connection. Ever tried that when you're in a shopping centre? Either impossible or very sloooooow.

      2. Assuming you have data, you'll need to log onto your banking app to authorise the payment. How long does that take you to do today? Do you need to use one of those stupid token things? Now imagine doing it for a cup of coffee, with one hand holding a bunch of bags, a bloke who wants to give you a hot beverage and 16 people behind you wanting you to bugger off because they want to pay for their item.

      1. Anonymous Coward
        Anonymous Coward

        Re: Zapp is clearly the future.

        "...you are going to need a data connection. Ever tried that when you're in a shopping centre?"

        Or airport. Stansted this morning; Voda ping 600, downstream 300kbps, or Three ping 400, downstream 450kbps, both very intermittent. Log into the bank to buy coffee? No thanks!

        1. Mike Bell

          Re: Zapp is clearly the future.

          Don't forget to type in that 5-digit passcode while you're at it, for all the world to see.

          Sorry, but solutions like this missed the boat.

  8. Zot

    Anybody here use Google Wallet before?

    GW came out in May 2011, and I wonder how popular it is there.

    1. Charles 9

      Re: Anybody here use Google Wallet before?

      Uptake's been a touch slow for two reasons:

      1) Supported phones were pretty low at first. Due to card company recalcitrance, you not only needed the right phone but the right network, too, which kinda sucked. When the S4 came out, card companies allowed it because of the Secure Element, but Google managed to leverage more leeway bit by bit. When Android 4.4 came out and Host Card Emulation, the number of supported devices jumped since the implementation was now independent of network or the Secure Element. More or less, if a device had a compatible NFC unit and could run 4.4, it could now support Wallet (shame it can't be backported; there are more NFC-enabled Android devices you could support if you could).

      2) Retailers have started getting a touch wary about contactless payments. Fears of data skimming and hacking have them wondering if they should be covering their butts. Combined with the slow uptake, some places that once accepted contactless are now dropping it.

      1. Zot

        Re: Anybody here use Google Wallet before?

        Thanks for replying to my question.

        Only on The Reg can I get a thumb down for asking a question!

        *rolls eyes*

        1. Zot

          Re: Anybody here use Google Wallet before?

          LOL at thumbing down a jibe about thumbing down!

          Keep going then, you're just so hilarious.

        2. MrRtd

          Re: Anybody here use Google Wallet before?

          Head over to Reddit, plenty-o-thumbs-down for asking questions.

  9. Rich 30

    Vs Google Wallet

    From what I've read, ApplePay sounds like a very clever system, and more secure than GoogleWallet.

    I used GoogleWallet in the UK once (Subway sandwiches), when you could spoof your location (you had to be in the US), and be granted access to the app. It worked well.

    Really, I'd be happy with either. The idea of a properly digital wallet which I could use most places is appealing. Hopefully Apple will speed up the process of getting NFC Payments to work in more countries.

  10. Dave Fox

    Picture the scene: it's a little past midnight on a Friday night. You and your friends are just finishing up on a nights boozing with a curry and a few more pints. You come to pay the bill, and whip out your trusty iPhone so you can amaze your friends by paying by bonk.

    You press the home button to wake the phone, but find that your battery's flat, which you'd have expected if you hadn't been so pissed...

    1. Anonymous Coward
      Anonymous Coward

      In that scenario, the real horror might be if the battery wasn't flat, or perhaps that's just me. I used to deliberately leave cards at home if it was going to be a huge night, just taking more than enough cash to limit the post-curry damage to an obscenely large beigel purchase.

    2. Anonymous Coward
      Anonymous Coward

      Seriously???

      Does anyone really go out without at least one debit/credit card?!?!?

      Even for emergencies in case you'd ran out of cash?!?!

  11. Ian Joyner Bronze badge

    The Register's journalism would be much more credible if you drop this bad habit of labelling just about every story about Apple with 'fanbois'. It is time someone at the Register grows up.

    1. Anonymous Coward
      Anonymous Coward

      I agree...

      But they need to attract all the usual "anything-apple-is-evil" brigade in order to keep their page view count up.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like