Apple Pay, Samsung Pay etc. and security

I do not have an iPhone, sorry! However, there are a couple in my family who do, so I am aware of the apps and advances in that arena. I have been following the Apple Pay technology with a lot of interest. The fact that it is is touch free (“contactless”) is cool in itself, but I am very impressed by the thought that has gone into securing the information from start to finish. The web page titled “Apple Pay security and privacy overview” clearly explains how the technology behind Apple Pay works. I strongly suggest that you read it. In simple terms, a device and credit card specific “secure element” is stored on your iPhone. When you are at a place that accepts this form of payment, using Near Field Communication (NFC) technology, the iPhone and a payment terminal communicate. After you enter your passcode on iPhone, it then transmits a dynamically generated encrypted information that contains the secure element for the credit card you choose, along with a few other information (presumably, the vendor name, the actual charge etc.). This data is received by the bank or the payment network, which then verifies all of this information and accepts the transaction. The key to all of this is that the information is secure, encrypted and is stored on your device as well as the bank. No one else, including Apple and the vendor has access to this information except perhaps in transit, but without the appropriate keys to decrypt, the information in such a short transit is not useful.

Samsung has come up with Samsung Pay, which is very similar, but has one advantage over Apple Pay. It also can communicate with the traditional magstripe terminals. Google is rumored to be revamping its Google Wallet  to measure up to these. It is fair to say that most of us are not ready to use these and continue to use traditional methods of using the credit cards in the stores as well as through online. There have been numerous breaches where, because the stores retain our information, they have been stolen. Credit card companies are getting better and alert us of fraud detection, which sometimes can be annoying (because of legit charges) and they tend to arrive at the most inopportune moments, such as when you are just about to embark on a trip. I would love to transition to one of these more secure methods asap. In the meantime…

I just want to share with you some of the things we all can do to add protection…

Through the breaches and other means, there are many who have access to the traditional pieces of information required by the credit card companies for verification (last 4 digits of soc sec #, date of birth, address and full name). So, one could make calls and make certain changes with this information. Some credit card companies and financial institutions even allow a password/information reset with these pieces of information. Many do require an additional step of you having to answer a security question. In case you have not bothered to set this up, it is a problem. So, please go ahead and set this up and use this wisely.

I found out that almost all financial institutions now provide an additional security called “Verbal Password”. In case someone has access to the basic pieces of information and wants to make a phone call to make certain changes, having this verbal password becomes an added barrier. You should check with your financial institutions and set this up.

Depending on your risk tolerance and appetite for shelling out $20-$30 a month, you should consider setting up a Security Freeze or Credit Freeze with one or more of the credit reporting agencies such as TransUnion. Whenever you or someone else on your behalf tries to open a new bank account or credit card account, these financial institutions run a credit check through one of these companies. If you have the credit freeze, they will not be able to receive the report. If you are doing it yourself, you know that and you can lift the freeze temporarily to allow the institution to do the check. If someone who stole your identity is trying to do this, you will get notified and they are out of luck. Is it worth the money? You be your own judge.

Almost all credit card vendors provide a form of two factor authentication when you access their online banking. For eg. Bank of America has the system called SafePass. This means, before one can even login to the system online, they will text the person a six  digit code to the cell phone and the person needs to enter it first to get access. There are safeguards and backup plans in case your cell is not easily accessible. They also have a free service called ShopSafe  which seems to be cool. Basically what it does is to provide you a temporary credit card number to use with a particular online merchant  and you can set credit limits. Even if there is a breach and this credit card number is stolen, the damage is very limited. Of course, I am simply referring to a few things that Bank of America provides that I saw online and am in no way endorsing Bank of America in any way, because many of the other credit card companies provide similar services.

Finally, do simple things – create very strong passwords and avoid using an easily identifiable username! And good luck to all of us in this world full of hackers!

Leave a Reply