How I Learned To Stop Worrying And Love Apple Pay

8 minute read

You get a call from an unknown number. You ignore it. But they call again, and again, and again, and sometimes they leave you a silent voicemail. Spooked, you google the phone number. There are several reports saying the callers are credit card scammers, but there are also comments saying that the callers really areyour credit card company.

Unsure, you decide to check your credit card statement online. You see strange charges: a subscription to a Latvian gaming site, a deluxe membership on a porn site, five subscriptions to Christian Mingle. And if you’re really unlucky, a motorhome.

If you actually use your credit card, a variant of the above scenario has likely happened to you. Possibly several times. It occurs because a business you used the card with didn’t protect their data and got broken into, and in the process, your personal details and card information were stolen.

The last three times one of my credit cards was compromised, it was, unsurprisingly, the card I use the most. The one I keep on file with several businesses for automatic payments. The credit card company was very good about it . They contacted me to confirm several charges they’d declined, and they got me replacement cards within a couple of days. Fortunately I had no financial exposure for any fraudulent charges. But still, the process of reviewing charges, talking with the credit card company, and locating and updating web sites which I’d set up for automatic billing killed the better part of an afternoon.

According to Credit card fraud and ID theft statistics, 31.8 million US consumers suffered credit card fraud in 2014. There are an estimated 160 million credit card holders in the US.. That’s roughly one-fifth of the credit card holding population. So I’m not alone.

Fundamental Vulnerability

Traditional credit cards can be exploited very easily. All you need is possession of the card’s secrets: the account number, expiration date, security code, and sometimes, the signature.Conveniently for fraudsters, this is all bundled on the same piece of plastic, and except for your signature, they’re all collected by web sites processing credit card payments.

When you make a purchase, online or offline, your credit card information is collected by the payment terminal. And then? Well, it goes out of your control. Your credit card and transaction details are transferred to and stored in a computer somewhere. Hopefully, they’re secure and no one will ever manage to extract them.And it doesn’t matter if you tell the system to store your credit card number for future use. Your details still get logged. Which mean they’re still vulnerable to the people who can break into poorly protected databases.

Do you think that it’s only small companies that get broken into? Not so. In 2014, Home Depot had their database stolen, compromising 56 million credit cards. An earlier breach of Target compromised 40 million accounts.

And that’s only database breaches. Scammers using phishing emails and web sites that masquerade as real sites may trick you into giving them your credit card information directly.

To fight credit card fraud, the US recently moved to the “chip and sign” system. Instead of just providing a static number from a magnetic strip, credit cards now include a chip. When you use the card at a credit card terminal, the chip provides a unique, non-reusable code instead of your credit card number.

But when you use it online, the process is identical to older magnetic stripe credit cards.

You still provide your credit card’s secrets, which, I’m sure, are handled with the utmost care by the folks who’ve built the systems that have compromised tens of millions of credit card numbers.

Enter Apple Pay

Apple Pay allows you to make in person payments using an iPhone or Apple Watch, and web payments from an iOS device or Mac using Apple’s Safari browser. It improves both the user experience during the payment process and the security of the payment.

All Apple phones from the iPhone 6 onwards support Apple Pay. All Apple Watch models do as well. Any Mac running recent software can make online payments using Apple Pay on a supported phone or watch, and the recent 2016 MacBook Pro refresh has built-in hardware to securely support Apple Pay without needing a phone or watch.

When you add a credit card to Apple Pay your device stores a secure token received from the credit card’s payment network, rather than the credit card number itself. This protects you from the casual theft of your credit card number; it’s not there to be stolen.

When you make a payment in person, at a payment terminal (where you would have swiped your card), you tap your phone to the terminal. Your phone displays a default payment method, you authorize it with your fingerprint or a PIN, and the phone transmits your phone’s Device Account Number as well as a security code specific to that transaction.

Online payments work in a similar way. Your device generates a code unique to the transaction and transmits that to the service being paid. That service never sees your credit card’s secrets. In fact, your device doesn’t even store them. So even if your device falls into someone else’s hands they can’t extract your credit card number. And the secure token is protected by fingerprint or PIN access and can be invalidated remotely in case you lose your phone.

If the merchant stores the information your phone shared with it and is later broken into, the information that a cracker would obtain will not work for another credit card transaction, so you’ll be safe even though some information is compromised.

The important factors here are:

  • Your fingerprint or PIN provide a second factor authorizing the charge; without the fingerprint or PIN, no information is sent to the merchant
  • Your phone doesn’t have and doesn’t transmit your real credit card number. If the number in use is compromised, you can just regenerate it, getting a new number, without having to change credit cards
  • The security code will only work with a single transaction If an attacker gets payment records containing your Device Account Number, that will be insufficient on its own to make new charges

Apple Pay also enables secure online purchases, via its Safari browser, using similar technologies. But the details are transmitted over a secure web connection, rather than NFC.

The technology Apple uses to transmit payment information - NFC (Near Field Communications, the wireless standard allowing the phone to talk to the credit card terminal) and EMV (the Payment Tokenisation Specification) - are industry standards. While the parts of the system that allow Apple’s devices to talk to banks are proprietary to Apple, their use of standards for talking to terminals means there’s no such thing as an “Apple Pay” terminal or a terminal that specifically supports Apple Pay. If the terminal supports contact-free payments, it supports Apple Pay (and its competitors).

Unfortunately, Apple Pay doesn’t currently have a way to set up a recurring payment. You might wish to use it to pay monthly utility bills, but it has no mechanism to support that kind of payment. It currently only works with one-time payments.Apple Pay also requires the bank issuing the credit card to support Apple Pay. Not all banks do.

Because of this, very few prepaid credit cards work with Apple Pay.

And Apple has not opened access to its NFC hardware to third parties, so no other companies can provide NFC-based services on Apple devices.

Apple Isn't The Only "Pay" Game In Town

Apple’s competitors aren’t about to let it have all the fun.

If you have the right phone you may be able to use Samsung Pay or Android Pay. They both work similarly to Apple Pay. Unfortunately, due to Android fragmentation, whether your phone has the hardware to support them is a crap shoot.

On phones that support it, Samsung Pay also supports a clever way to mimic the magnetic stripe on a credit card. While Samsung touts its better security than traditional magnetic stripe cards, researchers have found it trivial to steal Samsung Pay’s secure tokens and reuse them (something Samsung refutes). Other significant vulnerabilities in Samsung Pay creating secure tokens have also been reported.

Microsoft offers Microsoft Wallet, which some of the 0.8% of the smart phone market that uses Windows phones can take advantage of. But like Android, not all Windows phones have the hardware to support contact-free payments.

You can even find Walmart Pay, with its more cumbersome interface. And when Apple Pay launched, several businesses (including CVS and Best Buy) were members of a consortium building CurrentC, a cumbersome payment system involving QR codes and a terrible user experience, which never made it to market.

How I Learned To Stop Worrying

Apple Pay is a nice example of how a more secure experience doesn’t have to mean a worse user experience. It’s quicker for me to tap my phone or watch to the payment terminal than it is for me to get out my wallet, find my credit card, figure out whether I need to swipe it a few times or insert it in the chip reader, and wait for the chip reader to do its thing.

Security wise, the more often I use it instead of conventional payments, the less likely it is that I’ll need to replace a credit card the next time a merchant gets broken into. And when I use Apple Pay online, I no longer worry about how strangers will (or will fail to) secure my payment information. It’s no longer my problem if they botch the job and someone breaks into their database, because they no longer have my credit card number.

All of which makes me love Apple Pay.