In the past few years, more and more countries have started to allow Apple Pay transactions. Right now, this payment method is available in over 50 countries around the world. But with such high popularity also comes responsibility. You may have already adopted the Apple Pay payment method and asked yourself: “Is Apple Pay safe?”
Or you may still be in the early stages of researching the security of Apple Pay and may be reluctant to use it.
In this case, you’ve come to the right place, because in this article I’m going to explain how Apple Pay works and review it from a security standpoint.
What is Apple Pay?
Apple Pay is the mobile payment service of Apple. It was launched in October 2014 and it’s compatible with iPhone 6 (and above models) and Apple Watch.
It’s meant to allow you to ditch your physical wallet and import your cards into your digital Apple Wallet. Apple Pay supports some major card issuers, including Visa, MasterCard, and American Express – see the participating banks in Asia-Pacific, Europe and the Middle East, and Canada, Latin America, and the US.
How to set up Apple Pay
Many people avoid using it because they think it’s too confusing or maybe they are afraid it won’t work when they are in the checkout line at a store.
But don’t worry, below is a step-by-step guide which will help you set up Apple Pay.
- Go to your iPhone’s Wallet.
- Tap the “+”
- Add a new card by either scanning your card with your iPhone’s camera or by manually entering the details.
- Choose next. Your bank will check your card and let you know if you can use it with Apple Pay.
- After your card is verified, tap Next.
Great! You can now use Apple Pay.
For more instructions on how to set up Apple Pay on your iPhone and other Apple devices, visit the Apple Support page.
How to use Apple Pay
There are multiple methods to use Apple Pay and places that accept it.
Source: Apple Support
Here is where and how you can use it:
1. Stores, restaurants, and other places
You can use Apple Pay in restaurants, stores, and any other places that accept contactless payment.
If you want to use it in brick-and-mortar stores, you just have to place your iPhone near any POS device that accepts contactless payment. Basically, you can make payments with it almost anywhere, just like you would with your standard card.
2. Web payment in Safari
You may use Apple Pay to make purchases in the Safari browser – it works with your iPhone, iPad, and Mac. How to do it? After you press the Apple Pay button, you can either rely on your iPhone, iPad, or Apple Watch to confirm the payment. Or if your Mac model has a built-in Touch ID, you can use this feature instead.
3. Paying for apps or within apps
You can also choose Apple Pay as a payment method when you want to purchase apps in the App Store, or even pay within the apps.
Here you can see a complete list of places and apps that accept Apple Pay.
4. Apple Cash
Since 2017, Apple allows you to transfer money to your friends in the Messages app on the iPhone and Apple Watch by using Apple Cash. You can also fund your Apple Pay Cash balances from a linked debit card.
5. Apple Card
Apple announced that they will release the Apple Card this summer, which will be a physical card created in partnership with Goldman Sachs, synced with the Apple Pay system. It’s been designed with security and simplicity features in mind and will have some quite interesting perks available.
Now that I’ve briefly gone through the entire Apple Pay ecosystem, let’s look at how secure is Apple Pay.
So, is Apple Pay safe?
Short answer: YES, definitely.
It seems that Apple takes the security and privacy of their payment options very seriously.
Here are the reasons why Apple Pay is safe:
- When you activate Apple Pay on your device, it uses two-factor authentication – they text you a code which must be typed in the app so access to your card is permitted.
- It uses built-in security features to protect your transactions.
- You can only use Apple Pay if you have a passcode set up on your device. You can also use biometric authentication methods (Face ID or Touch ID).
- It doesn’t store or have access to your original card numbers associated with Apple Pay. Also, it doesn’t save any transaction information that can be traced back to you.
- The information you enter gets encrypted so it safely leaves your device when sent to Apple’s servers.
- If you scanned the card with your camera, it will never get saved on your device or in the iCloud.
- Apple may inform your card issuer or other providers associated with your card to the usage of Apple Pay, determine if your card is eligible, set up your card with Apple Pay, and to avoid fraud. If your card is approved, your card issuer creates a Device Account Number, encrypts it, and only afterward the information is sent to Apple.
- The Device Account Number can’t be decrypted by Apple, but it gets stored in the Secure Element – a chip specifically designed to safely store your information.
- The Device Account Number in the Secure Element is isolated from Apple’s operating systems (iOS, watchOS, and macOS) and it never gets saved on Apple’s servers or backed up to iCloud.
- If you lose your device and have turned on Find My iPhone instead of calling your bank, you can cancel Apple Pay by putting the device in Lost Mode. And your card will be suspended from Apple Pay even if your device is turned off and not connected to Wi-Fi or mobile data. But just to be completely safe, additionally, you can also contact your card issuer to remove your card from Apple Pay.
For more information on security and privacy, visit the security and privacy overview of Apple Pay. What’s more, you can find additional information on your device in Settings – Wallet & Apple Pay – See how your data is managed…
Is Apple Pay safe to send money to other people?
As I’ve mentioned above, you can easily send money with Apple Pay through Apple Cash.
When you use it, Apple may store some information about you to prevent fraud and to comply with financial regulations (i.e. how often you communicate with a certain person).
However, the content of your communication isn’t recorded and the information is saved for a limited time only, only being used in case suspicious activity has been recorded and it needs further investigation. You can also have access to the transactions that were considered fishy and needed to be analyzed in the list of your Apple Pay Cash transactions.
So yes, Apple Pay is safe to send money to other people.
But wait, I got scammed on Apple Pay!
Unfortunately, you could find yourself among the victims of Apple Pay scams. I understand you may be angry at Apple, but you should be aware that it was not Apple’s fault, just like the company is not the one to blame in the case of Apple ID phishing scams.
Here’s an example of an Apple Pay scam.
A summary of what happened if you don’t have time to read the original story on Reddit:
The user funded his Apple Pay Cash account with a Capital One Venture Credit Card to pay $550 for tickets to a music festival. Weeks after he sent the money to the seller, he noticed the entire conversation was deleted and then it became obvious it was a scam. He asked Capital Money to send him his money back. Capital One returned the funds, but when he checked his Apple Pay account, he noticed it was in the negative – they charged him $550, plus a $16.50 fee. Now, he no longer owned the money to Credit One but had to return it to Apple.
This is a great example of someone unknowingly transferring money to a scammer. But what happens when a malicious actor steals your card details and enters them into Apple Pay and manages to make fraudulent transactions? Who should be held responsible? Experts argue that banks are not always doing their best to keep the transactions of their customers secure enough.
“Apple Pay is great. It’s the bank processes for identity-proofing that are weak”, argues Gartner analyst Avivah Litan, via Dark Reading
It seems that millions of dollars have been lost due to Apple Pay fraud. Recently, a 23-year-old Miami resident was sentenced to four years in prison. The government accused him of being involved in a gang that loaded stolen Capital One credit cards onto their iPhones, which reportedly reached $1.5 million in fraudulent purchases via Apple Pay.
But here’s one of the biggest financial crimes witnessed up until now. According to Forbes, a group of 30-year-olds funded Apple Pay accounts and other digital wallets with stolen JPMorgan credit cards bought from the dark web. They bought highly expensive items and gadgets, ranging from a Rolex watch worth $35,000 to iPhones and MacBook Pros that cost thousands of dollars. All of their purchases reached $600,000 and were resold afterward.
Why do fraudsters use Apple Pay and other digital payment methods instead of simply resorting to stolen credit card details? According to assistant United States attorney Marie Dalton, who led the prosecution of the above-mentioned case, “When using a mobile wallet, the fraudster can instantly receive their stolen goods from the store without providing additional identification or delivery address”. She also stated that retailers use verification applications, such as Verified by Visa, for online payments. But financial criminals find it much easier to copy signatures and chip-and-pin technology using Apple Pay to purchase items than cloned cards.
Apple isn’t the one to blame when it comes to Apple Pay scams
Experts have pointed out that not all banks that accept Apple Pay have solid security measures in place to prevent these attacks. It seems that some banks aren’t checking if the true cardholders are trying to link their bank accounts with Apple Pay. Card issuers should be contacting customers when they detect someone is trying to link a card with Apple pay or send verification codes via text messages.
The long-awaited Apple Card could become the strongest link Apple Pay’s security chain, as it will not have any information written on it that could be stolen, such as card number, CVV security code, expiration date or the owner’s signature. All Apple Card users will get assigned a unique card number, which will be stored on the iPhone’s Secure Element – this is a chip that will not be hacked so easily, containing elements such as encryption keys.
How to avoid Apple Pay Scams
Apple Pay scams can be avoided if you stick to a few basic security measures.
Here’s what you should to keep Apple Pay scammers at bay:
1. DO NOT share the passcode used to log into your device since can be used as an authentication method (alongside Touch ID and face recognition). Don’t disclose it to anyone in case your phone gets stolen!
2. NEVER ever share your Apple ID password. Just like you wouldn’t share your email or bank account password, don’t do it with your Apple ID.
3. Get involved in transactions only with people you personally know to make sure you are not a victim of online criminal impersonation. For example, someone may be pretending to be a friend or a family member claiming to be in trouble and urgently in need of a certain amount of money. Or they can even impersonate an authority figure and make the request look official. Don’t fall for these scams!
4. Always double-check payments you are about to complete. Make sure you aren’t accidentally sending money to someone else.
5. Block unknown senders that request money. Whenever you receive a message from someone you don’t know (namely, when they’re asking for money) just tap Report Junk under the message.
Source: Mailguard’s Blog
6. Beware of phishing attempts. You may receive a fake email claiming to be from Apple that notifies you that a payment has been made on your behalf. Of course, you will not recognize this payment and might rush to click on the link that tells you to contact Apple Support to get a refund. After entering the fake website, you will get notified your account has been locked and that you need to confirm your information so you can recover it. The phishing webpage may look so real that you could actually get fooled and proceed to enter your sensitive details.
The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to:
Block malicious websites and servers from infecting your PC
Auto-update your software and close security gaps
Keep your financial and other confidential details safe
For more info and advice, you can also visit Apple’s support page that explains how to avoid Apple Pay scams.
Is Apple Pay safer than PayPal?
In a recently published article, one of my colleagues addressed the Is PayPal Safe? question. Long answer short, PayPal is pretty safe if we look at all the security measures they have in place – they use email confirmations for your recent transactions, data encryption, PayPal security keys, and 3D-secure. But if you aren’t cautious of the security of your account, you may attract unwanted eyes that may want to disclose your account’s sensitive information.
The same applies to Apple Pay. The company takes cybersecurity very seriously, the main one being that your card number isn’t stored on your iPhone or shared with any third-parties by Apple. Instead, they create a Device Account Number, which is encrypted and stored on the phone. But unfortunately, many people fall prey to Apple Pay scams.
So, I wouldn’t say one is necessarily safer than the other. It all comes down to how you handle each account, security-wise.
To Sum Up
All in all, Apple Pay is a highly secure payment method. Be careful though, and keep in mind the protection guide I put in place above on how to avoid Apple Pay scams. It’s always best to be proactive when it comes to your own security and not rely solely on the built-in security features of any digital payment technology.
Do you use Apple Pay? Have you ever fallen prey to Apple Pay scammers? Share your comments in the section below.
The post Is Apple Pay Safe? Answering All Your Questions and More appeared first on Heimdal Security Blog.