Apple Credit Card: Not So Secure, nor Private

Apple Card is here. It boasts anti-fraud security features and interesting privacy promises.

But is there much that’s new here? Probably not: People are saying it’s just a glossy sheen on top of existing technologies, and the privacy aspect ain’t all that.

What gives? In today’s SB Blogwatch, we wonder what all the fuss is about.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: a new escalator etiquette.


GS+MC+AAPL = Meh

What’s the craic, Zack Whittaker? “Apple Card will make credit card fraud a lot more difficult”:

 Apple’s new credit card has a curious security feature that will make it much more difficult to carry out credit card fraud. … Apple Card is a new credit card, built into your iPhone Wallet app [with] a range of security and privacy features.

One feature — a one-time unique dynamic security code — will make it nearly impossible for anyone to use the credit card to make fraudulent [online] purchases. That three-digit … CVV on the back of your credit card is usually your last line of defense.

But rotating the security code will increase the difficulty for an attacker to use your card without your permission. [And it’s] protected by a biometric, like Touch ID or Face ID in newer devices.

Sounds cool. But Rene Ritchie is conflicted—”Terrific version of a terrible business”:

 Apple is … partnering not with any long-established, long horrible bank, but with a new bank … Goldman Sachs [which] admittedly has a pretty **** horrible history all its own. But [it] is kinda like Cingular was when the iPhone first launched — just desperate enough to let Apple do pretty much whatever Apple wants to do.

And if this sounds a lot like an inflection point, I think that’s because it is. … But it’s still a credit card, and that means … the business model is still awful. The entire credit card industry is still absolutely and unabashedly evil.

Apple’s doing some good stuff to mitigate it [but] I’d much rather see something like American Express, the classic version, where you can’t carry a balance and so there’s no usurious interest rates and no debt-built business. Which, frankly, should be absolutely illegal anyway.

I can’t help but wonder how much better it would be if Apple wasn’t saddling itself with the traditional banking system. [But] Apple’s privacy-first policy is extending all the way through Apple Card as well. That includes not sharing your information with Goldman Sachs.

ikr? Chris Plante—@plante—thinks similar:

 Hilarious that Tim Cook didn’t want a Dr. Dre tv series because it would tarnish the brand’s reputation, but he’s totally down to get in the credit biz.

Unsurprisingly, Mastercard’s Craig Vosburg is more bullish. He brands it “A Card for Our Digital Era”:

 Simplicity, security and ubiquity sit at the very core of some of the most progressive innovations of our generation. [We] have been behind a number of these types of innovations such as development of token services.

Together with Apple … and Goldman Sachs … we’re launching the first ever Mastercard Digital-First card. … It takes seconds to authenticate and is ready for the cardholder to tap, swipe and check out.

At the core of both these announcements is our token services and M Chip technologies that help store the card on a digital device without exposing important details and also enable fast contactless payments.

So not really Apple’s technology, just as with Apple Pay? Mark Sullivan sees it as part of a trend—”Apple felt like a totally different company today”:

 While I sat inside the Steve Jobs Theater … I realized Apple was not the same company I knew not long ago. … Apple, under CEO Tim Cook, is becoming a services company to account for flagging iPhone sales growth.

Part of the reason the presentation felt so different is because it was as much about other companies as it was about Apple. It was about Apple putting an Apple wrapper on a bunch of content and services made by third parties.

And dmayle deobfuscates it some more:

 What they described was card tokenization via the existing EMV standard for contactless.

Tokenization is using a unique per-device credit card. These are generated by the payment network, so Mastercard knows who is making the payment. EMV includes per-transaction tokens.

MasterCard shares this data with the credit networks, and the credit networks sell this data to third parties.

Oh no. Here’s Ben Fox Rubin’s first draft of a headline:

 After mocking credit cards, Apple creates a credit card.

Mastercard spokeswoman just confirmed to me that the Apple Card physical credit card won’t be contactless. Oh well.

Cards are all moving to contactless in US, regardless of Apple Pay’s existence. … It needs a whole RFID type antenna built inside it. Hard to do with titanium.

But is all this really new? Despite Apple and Mastercard saying so, it ain’t, says jonomacd:

 I’m all for that but I’d rather it come from a smaller player in the space. For example, Monzo in the UK is doing similar one time code things.

And foobarbazetc comments in a similar vein:

 There’s nothing interesting here. Simple did this whole categorized transaction, friendly in app chat customer service, blah blah thing years ago. But it was also a current account. … Capital One has been doing this sort of thing too in their mobile apps for credit cards.

But the average American is terrible at money management. … The titanium card is shiny and free. So I think this will get some traction, but there’s really nothing interesting about it from a finance or fintech perspective.

There’s just something weird about this. I don’t know quite what that is.

I think I know who does. André Borie thinks his “Thoughts on the Apple Card”:

 On the privacy side … I suspect it’s a lot of marketing BS and nothing else (and I say that as a privacy advocate). … The very nature of card payments means there’s a paper trail both at the merchant, at the card network … and at the issuer.

In fact, the paper trail has to exist for regulatory & compliance purposes – let’s imagine for a second that the privacy aspect truly worked and transaction history was only stored on your phone – what will you do if your phone dies/get/stolen/etc, you had no backup and now the taxman is asking you questions – how are you going to answer? In fact, Apple themselves would get into a lot of trouble if they’re allowing you to transact without leaving any records.

[It] most likely means that transaction “enrichment” (the process that transforms the raw transaction data into a nice display of merchant name, location, category, etc.) is done on the device instead of in the cloud, which seems extremely inefficient and error-prone. … Monzo can handle this fine because the database is shared across everyone (so you benefit from everyone else’s corrections and they benefit from yours).

In the UK we are lucky to have a healthy competitive “fintech” market with banks such as Monzo and Starling Bank, but little of that carried over to the US where banking is still stuck in the dark ages. … Overall, this card is a lot of hype for not much and will struggle to gain adoption outside of the US. … What a shame.

And here’s a more succinct ignoramous:

 Cash is the most privacy friendly payment method. Followed by virtual credit cards, which aren’t really that private but an improvement.

Here with Apple Card, even if Apple might not choose to centralise your payment data, the underlying network (MasterCard, in this case) most certainly can know where you spent it, and vendors at point of sale can keep track of it too.

Meanwhile, GungaDan snarks it up:

 The thinnest and lightest credit card in history.

Now with rounded corners, and no headphone jack! Works almost anywhere Mastercard is accepted. As long as you’re not holding it wrong.

And Finally:

Escalators: Have we been using them wrong all this time?


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Apple

Featured eBook
Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Digital transformation requires new approaches to security, demanding the protection of machine identities that enable authentication and encryption required for secure machine-to-machine communication. Solving machine identity protection challenges within DevOps environments, requires a fundamentally new approach. Information Security teams must deliver a frictionless, automated solution that allows DevOps engineers to seamlessly provision and manage certificates ... Read More
Venafi

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 34 posts and counting.See all posts by richi