Apple pay is payday?

I have grave concerns over the details of the Apple Pay system. I have read what seems to be opinion pieces in the local news papers that try to glamorise this and also tout it is a new way of doing things making payments.  In the wake of the iCloud hacking scandal Apple needed to put to rest of their services being safe and secure.

  • Apple’s focus as a business is the design of nice functional devices.  They create nice looking devices, no question, it is the single reason why people went for them, why they are as popular as they are.  It isn’t anything new they are doing, nor is it the fact that are doing it well, but they are doing it with style. 
  • Apple has prove time and time again software is not their forte, iTunes, Apple Maps and the plethora of updates for your iPhone where they are unable to get things right.  Some addressing security concerns others fixing bugs, but since I have used an iPhone in the last 12 months I have updated it more times than I have updated my Windows Phone over a longer period. 

So, see this process diagram I have made.  This is based on the basic information I know about the process it is also about how I know these services will work. 


The process in blue is common to the approval of credit transactions over merchant services.  If this is the only functionality that the device and subsequent services perform then how is this different to the current use of PayPass or PayWave functionality we have in credit cards in Australia (I believe the US doesn’t have a large influx of these services yet, so to the US market that might seem different).

I read you take a picture of your credit card and from that the information on the device will be stored.  I would assume that it would use OCR to determine the details of the card.  Apple has stated this

Every time you hand over your credit or debit card to pay, your card number and identity are visible. With Apple Pay, instead of using your actual credit and debit card numbers when you add your card, a unique Device Account Number is assigned, encrypted and securely stored in the Secure Element, a dedicated chip in iPhone and Apple Watch. These numbers are never stored on Apple servers. And when you make a purchase, the Device Account Number alongside a transaction-specific dynamic security code is used to process your payment. So your actual credit or debit card numbers are never shared with merchants or transmitted with payment.

So, this number that is stated, is a special unique number sent to the merchant services device for approval.  If this is stored on the device against that payment option, how is this resolved?  If it is passing that unique code to the device, and also a dynamic security code which will be a secure hashing of some data I am sure.  Where is it resolved? So somewhere this UAN (Unique Account Number) equates to your account.  The merchant (not the retailer) needs to know that your Credit Card XXX XXXX XXXX XXXX = UAN, how is this done and where is this done.  None of this is stated on their site.  Information regarding Apple doesn’t save details of your transaction but it is this resolution that I would like to know about.

This is the big question mark over this whole system, how does the merchant, the device determine the details of the card being used over this chip when no card information is passed. Well the only way I can see it is, one of a couple of ways.

  • The UAN and Card Number are transmitted over Apple services to the merchant services (AMEX, Visa and MasterCard), if this is the case it is this routing of traffic, passing through Apple which would be where I question mark.
  • The merchant ask Apple for the resolution of the UAN.  Apple I have this UAN, can you provide me the Card Number so I can approve or reject the payment.

These two go against Apples assertions about not storing, especially the second one.  The first that could, but it is still dubious as the device and information is still an Apple device.  We have seen copious amounts of data collection policies stating that it will collect this and that but make sure it is not identifiable to you.  So I would want to read these terms of service of this before ever committing to this.

The other method would be to encrypt the data.  Below is an encryption (a proper one) of a dummy credit card number (it isn’t real) and CVN


So, that number.  Could be what is stored and certificates are used to encrypt and decrypt the data on each end.  This is the only way I can see that would maintain current security of the system which is already needing to be very tight as these systems are attacked regularly and it would maintain performance as there is already the encryption of this data.

With all of this much needs to be revealed and much need to remain hidden and since like Google I am not entirely trusting of their motives behind it.  Since I am sure Apple might not need to store transactions but I am sure it can simply record, you bought at Store X, cool, then additional services it can add to Store X by offering abilities to push specialised services to Device X from Store X (no need for anything else). 

And if it is as simple as replacing your credit card, I am sorry, but it isn’t like they say

breakthrough contactless payment technology and unique security features built right into the devices you have with you every day.

as I have been using contactless payment technologies using my current credit cards since they were issued to me 2010 and 2011 on 2 different cards.  My phone has had this ability since 2010 (though I have not used it).  In mobile devices it was an application that was required to utilise these wallet and NFC features, the difference is now the device supports it.  Mobiles have proven to be a gold mine for hackers and nefarious minded as most people don’t care how secure their device is, default Bluetooth on, default Bluetooth password.  The default security password, account passwords that are as simple as 12345678.  Our lives are becoming more and more dependant on security of the system we used everyday and these systems are failing us and using now an electronic device to make payments, umm what happens when the battery goes flat, I can no longer use it to pay for my whatever it is.

Be wary.


Posted on September 11, 2014, in Article and tagged , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: