First, in September 2014 when Apple Pay was announced, Tim Cook claimed that it would be more secure. So what exactly is the discrepancy?
The Old WayTo understand, we first need to understand the different payment systems, their vulnerabilities, and what is being done to combat the fraud. Current credit cards employ one of 2 technologies: a magnetic stripe containing card information, or an EMV (Europay / MasterCard / Visa) encryption chip. With a magnetic stripe, if you want to pay for goods or services with your card, you have a choice of either swiping it on a reader, or reading the card information with your eyes (or from memory) to someone and having them input into a payment system. A paper imprint with carbon paper is a tried-and-true 50-year-old method of taking payment information as well. With EMV, when the card is scanned, the chip generates a per-transaction code that can only be used to issue payment to that merchant for that transaction. Your personal information (card number, name, expiration date, security code, etc.) are not communicated to the merchant. However if, say, you are paying over the phone or Internet (not in person), then you have to resort to Plan B just like the magnetic strip.
So, what are the vulnerabilities in this old system?
- Point of Purchase Interception
- If you have a dishonest clerk, or a fake card scanner attached on top of the real one, they can grab your card info and record it for later fraud.
- Many card scanners are done over unencrypted, open phone lines that can be tapped or intercepted.
- Many card scanners are done by computer, over the Internet, and can be intercepted.
- Information System Hacking
- The vast majority of large businesses, whether online or in-person purchases, enter and store your card information into their database. This means that a hacker who breaks into the system can glean thousands or millions of contact and payment information from databases, over the Internet. Many of these systems do not have intruder detection, so it is certainly possible that at least half of these thefts go undetected or unnoticed.
- Card Issuing Bank
- If a thief steals not your card information, but personal identification information (your name, social security number, address, bank account numbers, employer, utility account numbers, etc.), they can pose as you and open a new card that you don't know about, in your name. With the statements sent to your address. And run up charges that you are billed for.
The Apple Pay Way
- Card Issuing Bank / Apple Pay Trust
- In order to register a card with Apple Pay, Apple came up with a system whereby the card holder takes a photo of the card with the phone, then has to go into the bank to have them confirm identity and that the card holder is actually the card holder (physical presence to a physical bank employee). Alternatively, a cardholder's device (iPhone) can be registered via Apple, and a secure iMessage sent to the previously-configured trusted device to confirm identity. However, most banks balked at the "overhead" that would impose on their customers, and opted for a less secure authentication via phone. A bank operator talks to the "cardholder" (hopefully it really is that person) and asks some "personal" information to confirm s/he is the cardholder, to allow that card to be registered with the device for Apple Pay.