It’s not often that I get to write about personal examples of Apple flawed software, hardware mistakes and their lack initiative when it comes to customer satisfaction. CS something that just doesn’t seem to be a priority for them. As an iPhone 6 owner,I have to live in fear every day because it might bend. But when it does, I can have some concrete proof of the flawed design.
I was informed this week that I am also likely to be victimized by Pay, and its rampant and elusive fraud that runs wild like some psycho at a european soccer match. This news comes on the trailing edge of Tim Cooks iPhone 6 CustomerSAT rating, which sits at a paltry 99%. I’m sure there is some embellishment in those metrics. Considering the bendy phones issues, I’m sure it was rounded up from an embarrassing mid to high 98….at best. That’s Apple marketing for you. Peddling gold watches while their payment system has fraud running rampant like Jenjis Kahn blowing up cattle in the countryside of south Vietnam.
The rampant fraud was methodically revealed by Cherian Abraham, a subject matter expert on Mobile Payment security as a member of the board of advisors at Simply Tapp. They created Host Card Emulation, which is Google’s solution for Wallet to make payment transactions. I’ve read quite a bit about him, many very well researched and articulate reports on how the Apple Payment System isn’t going to work because of all the fraud that runs rampant when people steal credit cards and dupe the bank into believing it is authentic, and steal customer data from merchants like Target.
He doesn’t say how Apple is responsible for that, but it really is irrelevant. If Apple is so super awesome, they should be able to figure out how to make sure every credit card that gets issued by all of their financial ‘Partners’ is legit.
Host Card Emulation differs from the Pay Secure element solution in a few ways. The iPhone 6 has these components built inside of it: biometric security, the Secure Element, and Secure Storage. When the user first buys an iPhone 6 you sign in with your iCloud account which is authenticated with Apple ID. Then you have to integrate their credit card into passbook. Once that is complete, The iPhone informs you that the financial institution must be contacted so that a live conversation can take place and authorization for the card to be used for Pay can be verified. This was the case in my experience however, if the card is already tied to an iTunes account that belongs to that user then it can be automatically accepted.
The secure element and secure storage are isolated from one another and neither has the ability to view the data of its counterpart. They hold very little data and none of it is customer identifying without another source of data. When the customer has the intent to make a purchase they bring the item to a cashier armed with a contact-less reader. The cashier scans the item your wish to buy, and activates the terminal, and when the iPhone senses the environment, it launches the TouchID UI. When your fingerprint is on the TouchID sensor, the go is given to transmit the information from the secure element and the secure storage through the contactless terminal, where it is sent to the financial institution for approval and processing.
The merchant issues a receipt, but never sees the credit card number, never sees the customer name or any of the customer data and neither does Apple. And that’s how privacy is maintained. It’s important to keep that fact in mind when considering the context of fraud in Pay.
The fraud is being perpetrated at the bank and merchant level. Banks issuing credit cards to criminals who place them into the Pay system. Because it’s a valid credit card to the bank, I’m not exactly sure how Apple would second guess that, but perhaps there is something I haven’t heard of, which is possible. I went to public school.
At the merchant level, when you go to a merchant store and pay with a traditional credit card, digital and/or hard copy receipt that has all of the personal identifying information on it: your credit card number your name, your signature…is generated and all of that is out in the open. Criminals then infiltrate those databases and even neglected receipts in the trash and acquire that data which is used to generate an account in a no card present transaction . That data is then used to generate an Pay profile. So let me reiterate that the reason any fraud is being committed on the Apple Pay network: it is because you are using a traditional credit card and in that process, you and the merchant give all the data that is required to commit fraud. There are also companies who collect and sell personal private data that is used in No Card Present account fraud. That would be anyone who has a social network based on a real name requirement and also uses that network to collect personal private data. Can anyone think of someone like that? +1 me then. Cause I’m feeling lucky.
This is one of the things that Pay prevents. That’s because when you make a transaction with Pay the merchant doesn’t have a copy of your credit card number, or your name or your signature. Outside of the cashiers memory and security cameras, no one knows you were ever even there. Contrast this with the current traditional credit card transaction schema. Target anyone?
Host card emulation (HCE). It assumes that everything is possibly compromised. Which is somewhat ironic considering Androids legacy of success with security and Google’s level of respect for private user data.
Host card emulation is dependent on device fingerprinting, transmission of the transaction via Google secure cloud, a token which is linked to the (PAN) personal account number of the user, but doesn’t hold all of the data required to generate the PAN in case it is intercepted and compromised, and a short lived key that is used in the decryption process. There is also a risk analysis component that is performed by third-party to assess whether or not the transaction profile is likely to be fraudulent. Because of these, Mr. Abraham would probably tell you that Google Wallet is superior to Pay. It’s so superior, in fact, That Google is announcing Android Pay in June at Googilligan I/O.
It has to be somewhat difficult being in Google’s position when it comes to wallet. Getting snubbed by their business partners with ISIS I’msure was a disappointment. I’m sure there is a lot is riding on Mr. Abraham and HCE as well. Getting caught on your heels after your partners have just punched you in the nose and then finding out your competition has spent the last year building relationships with hundreds of financial institutions and thousands of merchants has to cause a little stress in people close to Simply Tap which probably the reason behind all the hubbub about Apple pay.
Hopefully a lesson was learned in that event. Understanding that you should probably make the relationships first before you go asking for money from people as prospective customers. That’s something that Google isn’t used to doing unless those customers are advertisers.
But that is exactly what Apple did with Apple Pay. Rather than think about the money first, they thought about consumer safety consumer privacy and went to talk to people about building a service around that.
Apple does extremely well when they create an environment for the customer that makes them feel comfortable about using the products and services. it make sense, because when you think about the customer first the money comes after.. However if Apple doing extremely well in mobile payment systems means that you will not do very well is mobile payment systems, then you need to compete somehow. If you are 1 year behind your competition, and they seem to be making a lot of progress making people feel comfortable, then the only logical thing to ti is try to make them feel uncomfortable. How do you do that?
Tell them fraud is running rampant in your competitions mobile payment system.