Apple Pay: Bridging Online and Big Box Fraud

[slgrieb]

From krebsonsecurity.com, an interesting story about security issues with Apple Pay. A couple of highlights: "The irony here is that while Apple Pay has been touted as a more secure alternative to paying with a credit card, the way Apple and the banks have implemented it actually makes card fraud cheaper and easier for fraudsters." and "Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud."

As is usual for Krebs, he provides detailed info about how these scams are implemented and how unlikely it is that a real fix is likely soon.

[Webhead]

Translation: Apple Pay has pointed out the security holes in banks. Now the banks will close those security holes and make this process even better.

And what's not mentioned here are the even bigger security holes that exist in the methods we used before Apple Pay. Such as attacks on ATM machines, standard credit cards that don't use PIN codes, cash, etc. etc. etc.

[CeeBee]

Translation: Apple Pay has pointed out the security holes in banks.

No, it just widened them. Before a stolen CC# was only used online, as you can't swipe thin air. But to be honest all "virtual wallets" are exposing this gap.

And what's not mentioned here are the even bigger security holes that exist in the methods we used before Apple Pay. Such as attacks on ATM machines, standard credit cards that don't use PIN codes, cash, etc. etc. etc.

Ummm.. how is cash a security hole???

[Webhead]

No, it just widened them. Before a stolen CC# was only used online, as you can't swipe thin air. But to be honest all "virtual wallets" are exposing this gap.

Ummm.. how is cash a security hole???

I'm not sure what "widen them" means. When you shine a light on something it's either there or it's not. It doesn't grow larger because the light shined on it. The banks had security holes. By agreeing to use Apple Pay, those holes were exposed. And that is actually ok and kinda expected to be honest. They are in the process of fixing it. Meanwhile, Apple Pay has held up. First of all, Apple Pay eliminates any middle man when making a financial transaction. So that security hole that plastic cards allow for is now gone. Second, people can't steal your credit card from your wallet and use it because eventually we won't have a credit card and a wallet. Your information is stored securely in a chip, protected by Touch ID and not available for clerks or Apple to look at. The transaction is between you and the bank and that's it. Credit cars on the other hand are totally exposed in bunch of ways. For example, if I have a credit card in my wallet, someone can take my wallet and go buy stuff. Clerks never check the ID anyway So the theif never gets caught. This is insecure and expensive. Third, your payments are private unlike before. There's a million ways that previous methods were insecure. Heck, I went to a security conference a few years back and listened to the former security director for Wells Fargo speak about this. There's a million ways that the previous model was open to attack.

Now am I saying Apple Pay is bullet proof? No. Time will tell. But it sure is off to a good start. And once the banks get caught up, then it will only keep getting better.

By the way,... how is cash a security hole? Well let's see, first of all it can be burned, lost, stolen, duplicated, destroyed just to rattle off some things off the top of my head. I think a better question would be -- how is there anything secure about cash? And why do we still use cash?

[CeeBee]

The holes existed, but could only be exploited online and one piece of the puzzle is that many cards decline if shipment address is different from what they have on file. With "wallet" stuff (not just Apple!!!) it is assumed that you are the card holder when you are not and you can pay in person and not have a transaction declined because the address doesn't match. It also renders built-in card security (wireless or chip) worthless as it behaves like the old system. VERY BAD.
Cash is the only thing that cannot be exploited. Duplication is extremely difficult and any newbie clerk can spot a fake bill. Yes, it can be burned (why would anyone burn it???), lost/stolen (don't keep more than 50 in the wallet), but cash is cash and you can pay ANYONE with it. And nobody from an ex-Soviet republic will duplicate the cash in your wallet.
The best solution still remains chipped card + PIN, proven throughout Europe where fraud would otherwise be rampant. The convenient solutions are also a security risk, very difficult to mitigate unless the process is being changed to only allow storing cards that you can prove you own (ex make a transaction with a chipped card + PIN and use a security identifier to authenticate, or get the security identifier from bank. However this is not in the interest of credit card companies, they are willing to take a hit together with merchants and increase the card use.

[Webhead]

The holes existed, but could only be exploited online and one piece of the puzzle is that many cards decline if shipment address is different from what they have on file.
Who cares about online. People take the cards and go to retail stores and buy stuff. Cigarettes, alcohol, CD's, clothes, etc. The point is that they can be used easily. This is not just me making this up. It's common knowledge that credit cards are vulnerable. Haven't you been paying attention to all the attacks and exploits we've been seeing over the past couple years?

With "wallet" stuff (not just Apple!!!) it is assumed that you are the card holder when you are not and you can pay in person and not have a transaction declined because the address doesn't match. It also renders built-in card security (wireless or chip) worthless as it behaves like the old system. VERY BAD.
I'm not sure what you are talking about. With Apple Pay, you take your product to the terminal and point your device at the terminal to pay. That's it. Very simple, very secure. If someone takes your phone, they can't use it because it's locked down to your fingerprint. You might want to read up on the Apple Pay architecture a little bit more so you can be more informed about how it works when you are discussing this.

Cash is the only thing that cannot be exploited. Duplication is extremely difficult and any newbie clerk can spot a fake bill. Yes, it can be burned (why would anyone burn it???), lost/stolen (don't keep more than 50 in the wallet), but cash is cash and you can pay ANYONE with it. And nobody from an ex-Soviet republic will duplicate the cash in your wallet.
Cash is hard to duplicate? Criminals have been doing it for decades. It's one of the oldest tricks in the books. They have to keep redesigning the money to be more secure every several years. Nobody would purposely burn money but if you have thousands of dollars in your mattress and your house burns down while you are gone,... then what? Don't keep more than 50 in my wallet? Sure. That's easy because I hardly ever use cash anymore. And why? Because it's so easily stolen, destroyed, lost, etc. And no, you can't pay with cash to anyone. I defy you to go buy clothes with all nickels.

The best solution still remains chipped card + PIN, proven throughout Europe where fraud would otherwise be rampant.
I agree,.. chipped card + PIN is excellent. Apple Pay kinda takes that idea to a whole new level though.

The convenient solutions are also a security risk, very difficult to mitigate unless the process is being changed to only allow storing cards that you can prove you own (ex make a transaction with a chipped card + PIN and use a security identifier to authenticate, or get the security identifier from bank. However this is not in the interest of credit card companies, they are willing to take a hit together with merchants and increase the card use.
Maybe. I'm not sure. I have credit cards in my wallet that are chipped + PIN. It's just that the merchants aren't setup for this yet. I think retailers didn't want to invest in something until a standard presented itself. That standard seems to be Apple Pay.

And I'm not saying this as some kind of Apple loyalist. I'm just telling it like it is. If Google or Microsoft had a product like this, then I'd be saying the same thing.

[CeeBee]

I'm not sure what you are talking about. With Apple Pay, you take your product to the terminal and point your device at the terminal to pay. That's it. Very simple, very secure. If someone takes your phone, they can't use it because it's locked down to your fingerprint. You might want to read up on the Apple Pay architecture a little bit more so you can be more informed about how it works when you are discussing this.[/COLOR]

Nothing stops ME from putting YOUR card info that I stole after I hacked Target, Home Depot, Apple, ebay, etc etc in my phone and then going to a shopping spree. I don't need your physical card, all I need is the CC#s. All the built-in security that the card has is rendered useless since I don't have to provide the physical card anymore. You might want to read up on the Apple Pay architecture a little bit more so you can be more informed about how it works when you are discussing this.

if you have thousands of dollars in your mattress and your house burns down while you are gone,... then what?

Then you are either an idiot or a criminal.

I think retailers didn't want to invest in something until a standard presented itself. That standard seems to be Apple Pay.

Actually the standard is Google Wallet which has been around for years and is being accepted by many major retailers. And now the major cellphone companies have given up their version in favor of Google Wallet.

[Webhead]

Nothing stops ME from putting YOUR card info that I stole after I hacked Target, Home Depot, Apple, ebay, etc etc in my phone and then going to a shopping spree. I don't need your physical card, all I need is the CC#s. All the built-in security that the card has is rendered useless since I don't have to provide the physical card anymore. You might want to read up on the Apple Pay architecture a little bit more so you can be more informed about how it works when you are discussing this.


Then you are either an idiot or a criminal.


Actually the standard is Google Wallet which has been around for years and is being accepted by many major retailers. And now the major cellphone companies have given up their version in favor of Google Wallet.

LOL. Ok, whatever you say buddy.

[Webhead]

As long as this thread has been hijacked to try to make it seem like Google Wallet is relevant, here's something: http://www.howtogeek.com/201870/goog...-need-to-know/

The Payment Experience
With at least one credit or debit card’s detailed entered on your mobile app of choice, here’s how you’d use them when it’s time to pay:

Apple Pay: Take your phone out of your pocket, rest a finger over the Touch ID sensor (without pressing down), and hold it over a contactless payment terminal. The iPhone uses Touch ID to authenticate your fingerprint and immediately processes the payment. Touch ID makes this more convenient as you don’t have to unlock your phone first.

Google Wallet: Take your phone out of your pocket and hold it over the reader. You may then have to enter your Google Wallet PIN, which is supposed to be different from your phone-unlock PIN for security reasons. Where Apple Pay uses your same fingerprint at the terminal, Google Wallet requires your phone have two different PINs — it’s just clunkier. At least you don’t have to open the Google Wallet app first.

These payment methods need to be as convenient as possible because they compete with a piece of plastic that can be swiped or inserted everywhere. In many non-US countries (like Canada), you can tap your plastic credit card on such readers all over the place. Of course, this doesn’t give you any fingerprint or PIN security. That’s why contactless payments have traditionally been limited to smaller-value purchases.

Merchants Don’t Get Your Credit Card Numbers
With many retailers — from Target to Home Depot — showing they’re not capable of securely handling credit card numbers without losing them, security is becoming a more pressing issue. Both Apple Pay and Google Wallet offer a big advantage here. When you pay with either system, the merchant never actually gets your credit card information. In a nutshell, they get a one-time code that authorizes them to make a single charge. Any malware infesting their payment terminals won’t be able to steal your credit card details and abuse it later.

With Apple Pay, the secure payment details are stored on the iPhone itself. With Google Wallet, they’re stored on Google’s servers “in the cloud.” (<-- Apple secure, Google not as secure) This cloud-based token system is what allowed Google Wallet to work on more devices with Android 4.4, as it can work even when cellular carriers block its access to the “secure element” where it would be stored the device. Either way, the merchants you’re making purchases from don’t get your credit card details.

So, which is better? Well, that’s not really the question. You don’t really get a choice between Apple Pay and Google Wallet — you get a choice between an iPhone and an Android phone. Other considerations will probably be more important, and you’ll end up with whichever solution your chosen platform provides.

But, if you really want to corner us into answering, it’s very clear Apply Pay is better. The fingerprint-identification system is faster and more convenient than the second-PIN system Google thought up. Plus, when taking a view of the entire world instead of just the US, Apple Pay seems to be actually on a path to international expansion. Google Wallet isn’t seeing much development and looks confined to the USA, at least until Google starts caring about it again.

Keep in mind, this article is from last year. Apple Pay has made huge advancements since it's launch. It started with a handful of banks but has been basically adopted everywhere at this point. That's mostly due to how well it was designed (as opposed to Google Wallet).

[slgrieb]

As long as this thread has been hijacked to try to make it seem like Google Wallet is relevant, here's something: http://www.howtogeek.com/201870/goog...-need-to-know/







Keep in mind, this article is from last year. Apple Pay has made huge advancements since it's launch. It started with a handful of banks but has been basically adopted everywhere at this point. That's mostly due to how well it was designed (as opposed to Google Wallet).

I disagree. I'd say banks jumped on Apple Pay because it works with the very popular iPhone. They would have been smart to insist that Apple work with them on a more secure implementation. But "Short Sighted and Greedy" should be the motto of the American banking industry. As far as I'm concerned, any hickies banks take from Apple Pay fraud are well deserved. Besides, given Apple's traditionally lax approach to security, who is surprised at the outcome?