Next-Gen iPhone & iPhone Nano Speculation

[patsu]

If they can steal your credit card numbers they can steal your apple pay tokens. If they have them, they can use them since the tokens are just another card number and because the tokens do not change with time or merchant.

Are you sure that's correct? Because it does not jive with Apple's presentation. IIRC they claimed one-time use tokens, and basically invulnerable against anyone snooping said token since it is one-use, and consumed on use. You would not be able to use it a second time, so it'd be worthless for anyone intercepting it.

So either you've got your infos wrong, or Apple lied in their presentation. Or I hallucinated while watching it. <--This is also a possibility...

rpgs.314's model is not quite right. The dynamic account number is kept in the secure element. The "credit card like credential" (payment token) is something else. It is generated on the fly, together with yet another one-time secure code for every transaction.

Even if one captured these in-flight payment tokens, they can't use it for more fraudulent transactions. They should also be one-way. You can't guess the dynamic account number from these payment tokens.

If you lost the phone, then you have to use Find My iPhone to revoke the dynamic account number.

 

[Grall]

If you lost the phone, then you have to use Find My iPhone to revoke the dynamic account number.

You don't really need to though, if all the thief took was the phone; nobody can pay with the phone without your thumb to press to the scanner...

 

[patsu]

Well... I think peace of mind is very important. It's better to revoke and regenerate on a new phone.

 

[zed]

A $2.99 latte will increase by $0.04 if every single customer is going to pay with Apple Pay. Watch. Me. Care.

Whats that saying about fools and their money
btw you, you might wanna recheck your maths

0.15% is on the order of what stores, physical and online, already pay for direct debit transactions

In NZ (the largest debit card users in the world per head of population) there are ZERO transaction fee's for the customer / shop. Yes a shop has to pay a fee ~$100/year to be connected so they do incur a cost which would be passed onto the customer but thats gonna be orders of magnitude less than a 0.15% fee

How is google pay able to do this free?
Well if this takes off, it will flow on to google wallet taking off logically
and I assume google will say, hell if ppl are happy getting 0.15% deducted we'll do it as well.
And with their much larger userbase this could turn into a nice little earner for both apple & google

 

[Grall]

Google's schtik is grabbing market share by offering stuff for free, and then once they've achieved dominance they "monetize" the "service". So they're no different really. They, being a corporation with tens of thousands of employees and dozens of data centers around the world, offices in a multitude of countries and so on, obviously can't afford to offer their services completely free of charge in perpetuity.

 

[Mariner]

The vendor/shop always pays a credit card fee and it is usually a lot more than 0.15%, I can tell you! Usually around 2% for credit cards (a lot more for Amex!) and a set charge for debit cards.

Paypal fees for sellers are usually a little higher than this. Not sure about Google Wallet.

 

[zed]

The vendor/shop always pays a credit card fee and it is usually a lot more than 0.15%, I can tell you! Usually around 2% for credit cards (a lot more for Amex!) and a set charge for debit cards.

you missed my earlier posts where I mention this, I made one yeaterday here and also about 2 weeks ago

Like I said before from what I read a couple of days ago I believe this 0.15% is EXTRA on top of whatever the bank fee's they charge

nobody can pay with the phone without your thumb to press to the scanner.

I wonder what happens if a thief chopped off someones thumb, imagine the public fear(*) involved? We could see the next iphone version without a thumbreader

(*)totally unnecessary in real terms, but in todays (esp in the USA society) where 'fear rules the newswaves' and makes the public do irrational choices, who knows

 

[Grall]

I wonder what happens if a thief chopped off someones thumb

I believe Apple claimed last year that they check for life signs (meaning a pulse I suppose.)

In any case, I wonder what would happen if someone was to use a knife to force you to give them your card and PIN rather than use it to chop off your thumb - oh wait, that already happens every single fucking day. While we're already in the unlikely realm of scenarios, you could also use your pinky (or perhaps tip of your nose) to unlock your phone, meaning your thumb would be useless to a thief...!

 

[wco81]

Only thing about thumbs is that there have been cases of cops demanding pass odes. Conceivably they can coerce you to apply your thumb against the scanner.

There was a case where cop after beating someone erased the video off the phone of a witness who captured video.


The banks hope people charge transactions under $25 and $10, which are now predominantly paid in cash. So they'd get a lower fee but potentially greater volume of CC transactions.

 

[zed]

n any case, I wonder what would happen if someone was to use a knife to force you to give them your card and PIN rather than use it to chop off your thumb - oh wait, that already happens every single fucking day.

yes I know and thats why I wrote "totally unnecessary in real terms, but in todays (esp in the USA society) where 'fear rules the newswaves' and makes the public do irrational choices, who knows"
eg 10's billions to protect against (the small possiblity) terrorists invading the USA and killing a few american's vs a few billion spent protecting against (the reality today) of american's dying in X number of 'unsexy' ways

i.e. the masses make these total irrational choices not based on logic

I can foresee a similar tech thing with
We will soonish have widespread driverless cars I shudder to think when one malfunctions and kills someone (prolly a slowdown of its adoptation etc) even though in reality the deaths per km is prolly gonna be a lot less than a human driver, i.e. its irrational decision making

The banks hope people charge transactions under $25 and $10, which are now predominantly paid in cash. So they'd get a lower fee but potentially greater volume of CC transactions.

Not in NZ, its rare to see someone pay with cash, even for $2. Im one of the view ppl that do try to pay with cash

 

[rpg.314]

The question is whether or not it's better/safer than existing NFC implementations and existing credit card implementations. Not whether or not credit cards are inherently enablers for creepy behavior.

It's better than Google and carrier's implementation.

It's no better than existing physical cards.

 

[rpg.314]

Are you sure that's correct? Because it does not jive with Apple's presentation. IIRC they claimed one-time use tokens, and basically invulnerable against anyone snooping said token since it is one-use, and consumed on use. You would not be able to use it a second time, so it'd be worthless for anyone intercepting it.

So either you've got your infos wrong, or Apple lied in their presentation. Or I hallucinated while watching it. <--This is also a possibility...

The macworld article says that there is one token per device forever.

No idea what apple said in their presentation.

The banks and the retailers wouldn't let this get off the ground if their creepy behavior was blocked.

 

[rpg.314]

rpgs.314's model is not quite right. The dynamic account number is kept in the secure element. The "credit card like credential" (payment token) is something else. It is generated on the fly, together with yet another one-time secure code for every transaction.

That's not what Macworld says.

Unlike my example above, in which the token is on a per-merchant basis, with Apple Pay you get a unique token for each card and each iPhone.

 

[silent_guy]

It's better than Google and carrier's implementation. It's no better than existing physical cards.

Physical cards without a PIN, no security at all.
Physical cards with a PIN: 4 digits of security, often a birthdate of some sort.
Hard for an electronic solution to beat that in terms of insecurity.

 

[zed]

Hard for an electronic solution to beat that in terms of insecurity.

I guess more money is gained electronically (scams/hacks etc) each year than physically robbing them at knife/gunpoint

I think the issue is the number of electronic attacks/robberies will be far less but because its done electronically the capacity to 'attack' more accounts/ppl at once is magnitudes more

 

[Grall]

That's not what Macworld says.

The quote you present doesn't claim one token forever.

Anyway, like I said, the presentation claimed one-time use tokens, so what macworld says doesn't really matter. Anyway, a permanent token which would be snoopable and re-used would also be highly insecure, nobody would accept that. It would invalidate and make redundant the whole thing with the on-chip secure store, virtual card numbers and fingerprint scanner. So I don't think this interpretation which you present is the correct one.

 

[Mariner]

Physical cards with a PIN: 4 digits of security, often a birthdate of some sort.

Only if you are a halfwit! Lots of them around... :smile:

 

[zed]

Only if you are a halfwit! Lots of them around... :smile:

mine by chance was the most least likely choosen pin number, google it and you can find the article. After reading that article of course I changed it
Its choice between convenience and security, personally I prefer convenience (within reason WRT security)
A couple of days ago their was a 'meeting' here in nz, kimdotcom & (snowden & assange by web) now would snowden have been able to get those documents if it was the old days with harddata? just wait I'll go back and grab those other 5 suitcase's full of files prolly not, but I doubt anyone wants to go back to the old ways but we've lost so much freedom/anonymity these days

edit:
saw this on another site https://www.braintreepayments.com/features/one-touch?utm_source=ArsTechnica&utm_medium=disp&utm_content=OneTouch1A&utm_campaign=takeover&partner_source=US_DT_DIS_ARS_BAN_AWR_DEV_FLAT_ONE_NBR_x*OneTouch1A

Just 2.9% + $.30 per transaction
Sign up to get notified when Braintree is available in your country

Only 2.9% + $0.30
0.15% seems a bargain (OK theyre different things)

 

[rpg.314]

Physical cards without a PIN, no security at all.
Physical cards with a PIN: 4 digits of security, often a birthdate of some sort.
Hard for an electronic solution to beat that in terms of insecurity.

My bad, I was referring to privacy aspects here, not security.

 

[rpg.314]

The quote you present doesn't claim one token forever.

Anyway, like I said, the presentation claimed one-time use tokens, so what macworld says doesn't really matter. Anyway, a permanent token which would be snoopable and re-used would also be highly insecure, nobody would accept that. It would invalidate and make redundant the whole thing with the on-chip secure store, virtual card numbers and fingerprint scanner. So I don't think this interpretation which you present is the correct one.

It seems to imply on token forever.

Your existing physical cards have the same token forever and they work fine (from a security point of view) most of the time. And it is accepted universally.

If there was a dynamic token per use, then the merchant won't be able to track you, but the bank will.

I don't see why the merchants will buy into it if it didn't let them be creeps.