Apple Pay on the wrist: How Apple’s watch gets around the ID problem

11 Comments

Apple only gave a fleeting demo of how contactless payments would work on its new Apple Watch at its Spring Forward event on Monday, but it was an impressive one. You select a card from Passbook in the watch interface and then tap the wearable device against it or wave it over the payment terminal and, presto, your credit card is charged. The watch emits a tone and a vibration to show the transaction has gone through.

Furthermore, according to reports from the event, Apple Pay doesn’t always need to be manually activated in the watch. If you move your hand close to a near-field communications (NFC) based terminal, the app will immediately become active and use your primary credit card for payment — most likely the terminal’s NFC radio “wakes up” the NFC chip along with the Pay app in the Watch.

There also doesn’t seem to be any passcode or other ID authentication necessary. Most retailers will ask for signature –– after the EMV transition this year, many will start asking for PIN codes –– if the purchase is over $20 or $25, but Apple seems to removing every other barrier possible to a simple tap-and-go payments in its new wearable device.

But how does Apple do this with compromising security? Rather ingeniously actually. The Apple Watch appears to use its other sensors to make an indirect ID. Last week at Oracle Arena, Apple head of internet software services Eddy Cue explained that the watch senses when you put it on and then asks for authentication, which you can give either by supplying a fingerprint on the iPhone 6 or 6 Plus. If you’re using an iPhone 5 or 5s, which don’t support Apple Pay directly, you can enter a PIN code in the phone’s app or on the watch itself.

After that, as long as the Apple Watch is clamped to your wrist, your authentication is valid in Apple Pay. But as soon as the watch detects that you’ve removed it, Apple Pay locks up, requiring you to re-authenticate to re-activate it.

Apple Watch Pay

This means you won’t be handing your wristwatch to your waiter to pay your check, but most people probably don’t want to see their new $350-plus fashion accessory disappear behind the bar anyway. Short of a desperate criminal cutting off your hand at the forearm, it’s a pretty full-proof system: Apple Pay is active when the watch is on your wrist, and it’s nullified when the watch comes off.

What’s particularly interesting to think about is how this kind of variable authentication might be used to validate different types of transactions in the future. Anyone who has ever shopped with a piece of plastic knows that different levels of security come into play depending on what and where you’re buying. For instance, self-service gas stations typically ask for your zip code at the pump. Signature requirements kick in at a grocery store if you rack up a high enough bill. And if you’re making a big dollar-amount purchase, a clerk will often ask to see a picture ID.

Apple could fit different levels of Apple Pay authentication to those various retail security policies and then offer them up as options to merchants or payment processors. For instance, any purchase under $25 may not require any additional verification beyond a wave of a wrist. A more expensive purchase that would normally require a signature could be handled with a PIN code entered on the watch, instead of a John Hancock with a pen. A very expensive transaction could require Touch ID verification on the phone and a PIN number to boot.

I don’t know about you, but if I’m about to pay a $900 bill with my watch, I don’t mind jumping through a few extra hoops. On the other hand, I do get really annoyed when I’m forced to go through four or five different screens on a drug store’s payment terminal when all I’m doing is buying a stick of deodorant. If Apple could match a purchase’s level of hassle to its price, then it could do something much more impressive in payments than merely making them contactless.

11 Comments

ewalsh5

Is it just me, or there’s just too much praise for Apple around here? They ‘used to’ design great products and apps. Now they merely follow market trends in application development and integrated deployments (and still often miss the mark.) I’d like to know ow well the sales are going or app integration is, let’s try to reason out how well they have cloud, SAP and Salesforce connectors, pipeline management and how agile their analytics gathering is regarding sales operations? It’s typical of launching a rickety beta version of things and letting customers figure out the rest . (more questions here: bit. ly/ 1Bmq2SP) – Eamon Walsh, commenting on behalf of IDG and Kony

DJ Wulfse

“Short of a desperate criminal cutting off your hand at the forearm, it’s a pretty full-proof system: Apple Pay is active when the watch is on your wrist, and it’s nullified when the watch comes off.”

All technicalities aside, what would happen if any “desperate criminal” would acquire a payment reader (for lack of a better name) and walk through a crowd? Every watch, Apple or other, would be scanned and in a matter of minutes the criminal could rack up tons of “small” payments of $20-25 without anyone noticing.

I’m not saying it won’t work, but I’d like to have at least 1 layer of security, such as fingerprint or PIN for even the smallest payment, even if it’s only for my peace of mind…

Dagge

I prefer device that will earn me money, not spend it. Startupers..any?

Max Power

It’s fool-proof, not “full-proof”. And the security provided by Touch ID either at the point of sale in a phone only Apple Pay situation, or at the point of putting the watch on, for any transaction, is plenty of security.

Stop deconstructing the Apple security method as if it needs to stand on its own. Current measures of fraud prevention are practically non-existent. A signature is no security at all. Half the clerks don’t even care if you’re using a card with your own name, so forget about being asked for ID. All of these currently existing security measures can be circumvented without severing limbs or performing any sleight of hand.

Also, please don’t spread false information. Apple never said a thing about extra security measures based on price. That means if I go to Walgreens – I wave my wrist for a pack of gum or a tube of lip balm. It also means that if I decide to buy another Apple Watch, even a $17,000 gold Apple Watch, I can walk into an Apple Store and wave my wrist for that too. No PIN, no reaffirmation of Touch ID, please stop making things up. Every purchase is secured, every purchase is convenient.

Byron Bennett

Thanks for the insight, Kevin! I’ve been hoping payment can be secure, but not require any more effort on my part than waving the watch at a sensor.

Like you said, I wouldn’t mind jumping through a few more hoops for big purchases just to feel safer, even if they are gratuitous…as long as they don’t seem like something Homeland Security dreamed up to make us feel safer about air travel.

Steven L.

“after the EMV transition this year, many will start asking for PIN codes”

No they won’t. In the US it’ll be chip-and-signature.

“If Apple could match a purchase’s level of hassle to its price”

That mostly has to do with credit card processing policy. Your signature is a retailer’s proof that you were present at the time of transaction (which makes chip-and-signature all the more stupid, but I digress).

Why do people keep thinking Apple Pay runs on its own separate system? Tap-to-pay, tokenization, etc. all rely on pre-existing infrastructure implemented by credit card networks.

Byron Bennett

“Why do people keep thinking Apple Pay runs on its own separate system? …”

Most of us (myself included) don’t have a good handle on the flow of data in this process.

Maybe it doesn’t work with the flow of the transaction, but the article’s suggestion that Apple could implement some additional layers of auth for larger ticket items may be feasible if the device knows the amount of the transaction before it coughs up your token.

If the check out register doesn’t send your watch or phone the bill before it gets the token, then that’s probably not possible.

I don’t know how it all works, but I hope that if I make an Apple Pay payment, not only does the watch (or phone) tell me that I’ve paid something, but I hope it tells me how much and to whom. If this data is known to the device prior to passing the token, Apple can probably build in any sort of hoops they want for you to jump through. At the least, it would be nice for the user to be able to enable those hoops if they wanted.

I still wonder somebody with a Square or other mobile payment thing might be able to get near you on a subway and get your Apple Watch to pay it with nothing more than a beep and a buzz on your wrist. Sure, there is the problem for the thief having to have a payee account set up with Square or somebody, but criminals can be tricky folks.

ron

“I still wonder somebody with a Square or other mobile payment thing might be able to get near you on a subway and get your Apple Watch to pay it with nothing more than a beep and a buzz on your wrist. Sure, there is the problem for the thief having to have a payee account set up with Square or somebody, but criminals can be tricky folks.”

You need to double click the bottom button for Apple pay to activate.

Galunggong Gaming

good article…

http://www.balajiwireless.com
We sell only the highest quality accessories for all product on the market,and are proud to offer competitive pricing and excellent customer service.Whether you’re a cell phone user looking for some great products for your device,or a store trying to find the best deals on larger quantities of the same great accessories,you will find it all at Balaji Trading, Inc.”

Comments are closed.