Does Apple Pay trust your spouse more than you do?

Does Apple Pay trust your spouse more than you do?

Consumer Reports' investigation finds the new virtual wallet system could use an extra step

Published: October 24, 2014 04:45 PM

Find Ratings

Apple has gone to great lengths to promote the security of Apple Pay. A white paper on the security of Apple's mobile operating system, iOS, claims that: "Apple Pay doesn't collect any transaction information that can be tied back to the user. Payment transactions are between the user, the merchant, and the bank."

Indeed, security professionals have mostly positive impressions of the design of Apple Pay. Robert Neivert, COO of the secure search engine Private.me, said: "It is a significant improvement over using a credit card. Since the vendors do not receive any personal information during the transaction, it would render the breaches at Home Depot, Target, and others worthless."

But I was curious about another aspect of Apple Pay: Its ability to quickly scan a credit card using the iPhone's camera and integrate it into Passbook, the app that iPhones and iPads use to store payment and loyalty cards. At Apple's event introducing the iPhone 6 and 6 Plus in September, the company demonstrated the process by letting journalists instantly import a sample payment card onto an iPhone and then make a fake purchase moments later at a credit card terminal. Is it really that simple in real life? And if so, is it secure?

According to the white paper, the process (known as "credit and debit card provisioning") works like this: You aim the camera of an iPhone 6, 6 Plus, or one of the new iPads at a credit card, and the device reads the card number, customer name, and expiration date off the face of the card, then encrypts that data and sends it to Apple's servers. Apple then displays any terms and conditions to which the card-issuing bank needs the customer to agree. Once those terms and conditions are agreed to by the end user, the Apple Pay servers send information from the device (which can include the last four digits of the phone number and location information) and info from the user's iTunes account to the bank for verification.

I easily loaded two of my credit cards—an American Express Card and a Chase Slate Visa—onto an iPhone 6 linked to my family's iTunes account.

Apple Pay on the iPhone 6 and 6 Plus

But I also tried adding a few cards that were not mine. I attempted to add multiple cards from two colleagues at Consumer Reports, and while at first it looked as if those cards were going to be approved, the issuing banks ultimately requested additional verification via either a text message, e-mail, or customer service call. That's what's known as two-step or two-factor verification, and it's generally considered to be a higher standard of security for consumer transactions. To import those cards, I would have to be in possession of the card owner's phone, have access to his or her e-mail account, or be able to answer extra security questions.

Then I tried adding my wife's Citibank MasterCard, and it was added to Apple Pay with no request for additional authorization. That was unexpected, since it is my wife's private card, and she has never authorized me as a user. Also, that card isn't associated with our family iTunes account. In fact, I have no current financial relationship with Citibank at all.

I was then able to spend freely with my wife's MasterCard. I took the iPhone to McDonald's and bought five cheeseburgers and fries (which I didn't share with my wife), and I went to Walgreens and bought some cleaning supplies. All the transactions were quick and seamless with the Apple Pay system.

Now, my wife and I love and trust each other, and I did this experiment with her complete cooperation. But it doesn't take too much of a stretch of the imagination to see how the ability to secretly vacuum up your partner's credit card credentials onto your phone could be a problem between spouses in the midst of a breakup or troubled relationship.

I wanted to confirm that I hadn't just experienced a one-time glitch, so I asked one of my married colleagues to try the same experiment. He and his wife also share an iTunes account, and she also has a Citibank MasterCard. He was able to add her card to his account with no additional verification, and he bought several items using Apple Pay with her card. (His wife did get an e-mail from Citibank welcoming her to Apple Pay and letting her know that she could remove the card from the system if she had concerns.)

Why were my colleague and I able to load these cards on our iPhones without additional verification? I contacted Apple, and a representative emphasized that the banks are the entities that authorize a card for use on a customer's iPhone.

So I reached out to Citibank, and a representative there pointed out that I had provided all the important information from the card—card number, expiration date, and card verification value, or CVV, and that the address on my family's iTunes account was the same as the address on my wife's Citibank MasterCard. Also, as part of the authorization process, I had agreed to the terms and conditions, certifying that the card was mine and the name on the card was my own.  

To see how some of the other major financial entities involved in Apple Pay dealt with the provisioning process, I reached out to MasterCard, Visa, Chase, and Bank of America, and it was clear that no one really wants to provide too much detail about how provisioning works. MasterCard and Visa never replied, Bank of America sent us back to Apple and the card issuers for information, and Chase considered the information proprietary, and said only that Chase does provision for Apple Pay and that it had additional methods to verify its customers.

To be sure, once you have someone else's credit or debit card in your hands, you can do quite a bit of damage without needing an iPhone or Apple Pay. For instance, I could have simply added my wife's credit card to my Amazon account. But if I had used her card without her knowledge or attempted to impersonate her for personal gain, I would have been committing credit card fraud, and she would have been guarded by all of the existing fraud protections that are already available to credit card customers.

And the Apple Pay system did prevent me from committing egregious acts of card theft. But if this really is the future of credit card commerce, there's one aspect of the card provisioning process that could be done better. Since the system already has the ability to do two-step verification, why didn't the banks and Apple make it the only way to authorize a card for use? It's hardly an inconvenience. I tried it with a legitimate card and it took a few extra seconds. Sure, it's not as convenient as simply pointing a iPhone camera at your credit card and instantly authorizing it for use, but I know that my wife would have appreciated the extra verification step—and she also wishes I had brought her home at least one of those cheeseburgers she paid for.

—Glenn Derene

Find Ratings

Cell phones Ratings

View and compare all Cell phones ratings.

E-mail Newsletters

FREE e-mail Newsletters! Choose from cars, safety, health, and more!
Already signed-up?
Manage your newsletters here too.

Electronics & Computers News

Connect

and safety with
subscribers and fans

Follow us on:

Cars

Cars Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

See your savings

Mobile

Mobile Get Ratings on the go and compare
while you shop

Learn more