Yes, TouchID can be fooled… but so far only if you have a high resolution photograph of the person’s finger. Yes, NFC can be sniffed, but the phone is generating a one-time key. It’s possible they’ve made some implementation mistake (crypto is hard), but in general, this is orders of magnitude harder to meaningfully attack than the current system, and also much better than chip and pin.
The biggest gain may just be that you won’t let your phone out of your hand. If someone takes your credit card at a restaurant and walks off with it, or takes it behind a register counter and swipes it, it’s kind of hard to see what kind of machinery they might have run it through. If someone tries to do something funky with your phone while it’s in your hand, it’s going to be much harder to hide.
Yes, the only times messages were sent in the clear were when they were sent to services that didn’t support encryption. Apple to Apple traffic was encrypted end-to-end. That means that if both people had iPhones, you’d have to break AES 128 encryption. Apple doesn’t actually have the capability to read your messages without significant effort and resources specifically because of the way they set up the system. Here’s a normal-language synopsis of the Apple whitepaper (PDF: linked to in the article) that describes the messaging implementation as well as other security features on iOS.
There’s a fundamental difference in approach between Google and Apple. Apple has, to date, designed things in such a way that they don’t even have access to personal information wherever possible. Google, on the other hand, wants personal information because their whole business is in finding ways to sell you stuff. You don’t have to trust Apple or take their word for it, knowing how it works (and this stuff has been checked) you can verify for yourself that while it might technically be possible to collect data, it would be ridiculously hard.
Article from Macworld with actual information instead of my garbled memories from a hurried viewing of the keynote over a few broken sessions. One mistake I made earlier: the secure memory the info is stored is separate from the Touch ID Secure Enclave.
One thing to remember is that Google / Android is an ecosystem, not a product line. Manufacturers of Android phones can include / not include NFC capability at their discretion. I have a phone that has it (Droid Maxx), but I know of many people who have recent Android phones that lack NFC.
In this, Apple has an advantage since they have a much smaller range of phones, and all of the new ones (apparently) support NFC payments.
Around here, NJ Transit buses accept Google Wallet payments. The PATH train turnstiles don’t - they can query the phone and receive the data, but go “bonk” to indicate they don’t understand it as a valid payment type.
What would have been far better for users and merchants is a single payment standard for the communication of data from the phone / other device to the reader. The phone manufacturers could use whatever implementation they want for the user’s funding source, authorization method on the phone, etc. and merchants could use whatever back-end processor they want. Instead we have something like the Beta/VHS format war, but with a larger (and still increasing) number of incompatible systems.
So it’s almost 8 years later and I’m thinking of trying out Apple Pay. Anybody have different opinions about its safety? I just did the latest iphone update and am being asked if I want to set up apple pay. I’ve been afraid to up to now.
I don’t think you’re going to find many people who can argue in all honesty that it’s not safe. I mean, If you google “is Apple Pay safe,” the results won’t include very many stories about security breaches, and the few stories there are don’t seem to be about real world in-the-wild exploits. Basically, it’s as safe or more as anything else out there.
I use various bits of apple’s money handling stuff. Vaderling gets his allowance via “text” that goes on to an apple “card”. I use an apple card to pay for things online since that is another layer between my info and the rest of the world, however I watch people struggle to use apple pay and google wallet with their phones at gas stations and restaurants now and then and it always seems to be a major production trying to get the phone and the cc terminal to talk to each other and complete the transaction. Every single time I’ve made a note to myself to never do this, I’ve never seen anyone just wave their phone at the terminal and have it work. Just pay the damn bill with cash or an actual physical card already.
Every terminal seems to be different. Even cards have trouble with some. One gets used to it quickly enough and I usually have little trouble paying with my phone. A little dance over terminals usually gets it first swipe, except for terminals with the reader on the side. Even with cards one can miss those.
But sometimes the protocol seems to jam up and the entire transaction has to be restarted. It isn’t great, and really should be improved.
With Covid a general distaste for cash has taken hold here. I have used cash maybe half a dozen times in the last year and waved a credit card at a reader maybe twice. Every other transaction has been with my phone. I just bought an Apple Watch, and will probably start using that for most purposes.
A couple of days ago, the person in front of me asked to pay for her groceries using some app, and completed the transaction by waving her wristwatch at the terminal. It took about one second. So, whatever app she was using, they both had it, therefore it worked. I assume the cashier would give me a list if I bothered to ask.
Now, if something goes wrong with the reception, that’s when you might get a major production. Or the convenience store’s internet could go out— I have seen that happen. Not everyday occurrences, though. If you have at least a debit card, you can get away with using cash rarely.
I’ve been using Apple Pay whenever possible for a couple of years now (since I got my watch); I love it. Never had a problem once I figured out which button to press and when to press it.
I used apple pay on my phone - which required a fingerprint (or PIN) to verify the payment. Now, thanks to the pandemic, I’ve used my Apple Watch almost exclusively. It does not require a fingerprint - but every time you take the watch off your wrist and put it on, you need to enter the PIN code. So someone who just steals your watch or phone can’t go on a spree, unlike using “tap” with your credit card. Of course, if they know your PIN and have your apple device -well, sux to be you. But the same would apply with credit card and PIN.
Of course, there are limits for all of these - typically about $100 or $200 a day depending on the bank and merchant. (But credit card and PIN is not necessarily limited) The main point as I understand, is that Apple makes up a different code for each transaction, so hackers intercepting the data stream can’t really decode and “reuse” the information. It’s also more difficult to create a counterfeit Watch or iPhone for your credit card than a fake magstripe. (I have yet to hear of the CHIP and PIN being counterfeited - that also takes advanced tech.)
As I understand, Apple pay is a handshake with the NFC - I’ve had my watch but forgotten my phone at home, and my watch (which only has WiFI, Bluetooth, and NFC) still works. Presumably, it only needs on the terminal’s internet connection to do the verification.
the point is, I trust Apple’s NFC much more than I trust a card’s tap. For most of my cards, I have made cuts in the card to disable the NFC antenna. CHIP insertion still works. (Use a bright LED flashlight behind the card in a dark room to maybe see the antenna traces)
The only downside - I’ll keep using my iPhone 8+ until Apple deigns to return to using fingerprint tech; I have no desire to use Face ID. This is the downside of Apple, they tend to think “we do it our way and you will follow us.”
I used ApplePay a few times years back but it generally took a few tries to work so I stopped using it. It may be better now with better software and a 13pro phone. In the end, it’s just as easy for me to pull a credit card out of my left pocket as a phone out of my right pocket so I don’t bother.
I just came from the grocery store. The lady in front of me paid with cash and then took several minutes organizing everything back into her wallet, then organizing the purse, etc.
I put my phone near the reader and tapped in my pin.
@ Everyone🙂, thinking about it a little more, probably confirmation bias on my part. I’ve never noticed people using devices to pay because pre-covid there was less aversion to the contact, actual and implied, with cash. So more people are venturing into areas of payment/money technology that they wouldn’t have before and so it seems like it messes up more because there are more people doing it.
My card issuer sent me a contactless Visa card a year or so ago, and I’ve been using that everywhere I can. I don’t see any advantage of Apple Pay/Google Pay over this (though someone upthread mentioned wanting to carry only their cell phone, so for someone like that, I can see the appeal).
Well, if your contactless card gets lost or stolen, someone else can use it to make a purchase. If your iPhone gets lost or stolen, no one else can use it to make a purchase.
Because of that lack of built-in authentication, in some countries contactless cards have spending limits or daily use limits, or you have to enter a PIN or sign to exceed the limit which breaks the “contactless” angle. Depending on the store, Apple Pay or other mobile payment options don’t necessarily have these limitations because you’ve authenticated yourself on your phone.
Yes, I’ve been told my card with tap has upper limits per transaction and per day. The same with Apple pay, but those limits are a bit more flexible. Costco, which has a better handle on customer ID, seems to have a very high tap limit tolerance.