Apple Credit Card: Not So Secure, nor Private

Apple Card is here. It boasts anti-fraud security features and interesting privacy promises.

But is there much that’s new here? Probably not: People are saying it’s just a glossy sheen on top of existing technologies, and the privacy aspect ain’t all that.

DevOps Connect:DevSecOps @ RSAC 2022

What gives? In today’s SB Blogwatch, we wonder what all the fuss is about.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: a new escalator etiquette.


What’s the craic, Zack Whittaker? “Apple Card will make credit card fraud a lot more difficult”:

 Apple’s new credit card has a curious security feature that will make it much more difficult to carry out credit card fraud. … Apple Card is a new credit card, built into your iPhone Wallet app [with] a range of security and privacy features.

One feature — a one-time unique dynamic security code — will make it nearly impossible for anyone to use the credit card to make fraudulent [online] purchases. That three-digit … CVV on the back of your credit card is usually your last line of defense.

But rotating the security code will increase the difficulty for an attacker to use your card without your permission. [And it’s] protected by a biometric, like Touch ID or Face ID in newer devices.

Sounds cool. But Rene Ritchie is conflicted—”Terrific version of a terrible business”:

 Apple is … partnering not with any long-established, long horrible bank, but with a new bank … Goldman Sachs [which] admittedly has a pretty **** horrible history all its own. But [it] is kinda like Cingular was when the iPhone first launched — just desperate enough to let Apple do pretty much whatever Apple wants to do.

And if this sounds a lot like an inflection point, I think that’s because it is. … But it’s still a credit card, and that means … the business model is still awful. The entire credit card industry is still absolutely and unabashedly evil.

Apple’s doing some good stuff to mitigate it [but] I’d much rather see something like American Express, the classic version, where you can’t carry a balance and so there’s no usurious interest rates and no debt-built business. Which, frankly, should be absolutely illegal anyway.

I can’t help but wonder how much better it would be if Apple wasn’t saddling itself with the traditional banking system. [But] Apple’s privacy-first policy is extending all the way through Apple Card as well. That includes not sharing your information with Goldman Sachs.

ikr? Chris Plante—@plante—thinks similar:

 Hilarious that Tim Cook didn’t want a Dr. Dre tv series because it would tarnish the brand’s reputation, but he’s totally down to get in the credit biz.

Unsurprisingly, Mastercard’s Craig Vosburg is more bullish. He brands it “A Card for Our Digital Era”:

 Simplicity, security and ubiquity sit at the very core of some of the most progressive innovations of our generation. [We] have been behind a number of these types of innovations such as development of token services.

Together with Apple … and Goldman Sachs … we’re launching the first ever Mastercard Digital-First card. … It takes seconds to authenticate and is ready for the cardholder to tap, swipe and check out.

At the core of both these announcements is our token services and M Chip technologies that help store the card on a digital device without exposing important details and also enable fast contactless payments.

So not really Apple’s technology, just as with Apple Pay? Mark Sullivan sees it as part of a trend—”Apple felt like a totally different company today”:

 While I sat inside the Steve Jobs Theater … I realized Apple was not the same company I knew not long ago. … Apple, under CEO Tim Cook, is becoming a services company to account for flagging iPhone sales growth.

Part of the reason the presentation felt so different is because it was as much about other companies as it was about Apple. It was about Apple putting an Apple wrapper on a bunch of content and services made by third parties.

And dmayle deobfuscates it some more:

 What they described was card tokenization via the existing EMV standard for contactless.

Tokenization is using a unique per-device credit card. These are generated by the payment network, so Mastercard knows who is making the payment. EMV includes per-transaction tokens.

MasterCard shares this data with the credit networks, and the credit networks sell this data to third parties.

Oh no. Here’s Ben Fox Rubin’s first draft of a headline:

 After mocking credit cards, Apple creates a credit card.

Mastercard spokeswoman just confirmed to me that the Apple Card physical credit card won’t be contactless. Oh well.

Cards are all moving to contactless in US, regardless of Apple Pay’s existence. … It needs a whole RFID type antenna built inside it. Hard to do with titanium.

But is all this really new? Despite Apple and Mastercard saying so, it ain’t, says jonomacd:

 I’m all for that but I’d rather it come from a smaller player in the space. For example, Monzo in the UK is doing similar one time code things.

And foobarbazetc comments in a similar vein:

 There’s nothing interesting here. Simple did this whole categorized transaction, friendly in app chat customer service, blah blah thing years ago. But it was also a current account. … Capital One has been doing this sort of thing too in their mobile apps for credit cards.

But the average American is terrible at money management. … The titanium card is shiny and free. So I think this will get some traction, but there’s really nothing interesting about it from a finance or fintech perspective.

There’s just something weird about this. I don’t know quite what that is.

I think I know who does. André Borie thinks his “Thoughts on the Apple Card”:

 On the privacy side … I suspect it’s a lot of marketing BS and nothing else (and I say that as a privacy advocate). … The very nature of card payments means there’s a paper trail both at the merchant, at the card network … and at the issuer.

In fact, the paper trail has to exist for regulatory & compliance purposes – let’s imagine for a second that the privacy aspect truly worked and transaction history was only stored on your phone – what will you do if your phone dies/get/stolen/etc, you had no backup and now the taxman is asking you questions – how are you going to answer? In fact, Apple themselves would get into a lot of trouble if they’re allowing you to transact without leaving any records.

[It] most likely means that transaction “enrichment” (the process that transforms the raw transaction data into a nice display of merchant name, location, category, etc.) is done on the device instead of in the cloud, which seems extremely inefficient and error-prone. … Monzo can handle this fine because the database is shared across everyone (so you benefit from everyone else’s corrections and they benefit from yours).

In the UK we are lucky to have a healthy competitive “fintech” market with banks such as Monzo and Starling Bank, but little of that carried over to the US where banking is still stuck in the dark ages. … Overall, this card is a lot of hype for not much and will struggle to gain adoption outside of the US. … What a shame.

And here’s a more succinct ignoramous:

 Cash is the most privacy friendly payment method. Followed by virtual credit cards, which aren’t really that private but an improvement.

Here with Apple Card, even if Apple might not choose to centralise your payment data, the underlying network (MasterCard, in this case) most certainly can know where you spent it, and vendors at point of sale can keep track of it too.

Meanwhile, GungaDan snarks it up:

 The thinnest and lightest credit card in history.

Now with rounded corners, and no headphone jack! Works almost anywhere Mastercard is accepted. As long as you’re not holding it wrong.

And Finally:

Escalators: Have we been using them wrong all this time?

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Apple

Richi Jennings

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 370 posts and counting.See all posts by richi