Crazy Cards
Six years I said that “I have no idea why my debit card has either a magnetic stripe or embossing, and it’s not clear to me why it has my name and bank account number on it either, and I don’t know why it has a signature strip on the back when I don’t want to use it for signature transactions under any circumstances”. Then in 2014, I asked “Why is there a magnetic stripe on my card at all?” as I could not see even then why my debit card had a magnetic stripe on it and I had no intention of ever using my debit card (the subject of the discussion) in a POS terminal at all, let alone a POS in the USA where there was no chip. It’s all different now, of course, because the US has gone over to chip and PIN as well.
//embedr.flickr.com/assets/client-code.js
Putting numbers and signatures on cards helps criminals. There’s no need for it. A couple of years later, I asked in “Tired: Banks that store money. Wired: Banks that store identity” why my bank didn’t put a token in my Apple Pay that doesn’t disclose my name or any other personal information, a “stealth card” that I can use to buy adult services online using the new Safari in-browser Apple Pay experience? This would be a simple win-win: good for the merchants as it will remove CNP fraud and good for the customers as it will prevent the next Ashley-Madison catastrophe. Keep my real identity safe in the vault, give me blank card to to go shopping with.
A blank card? Crazy.
Brazil Nuts
Some years ago, when my colleagues at Consult Hyperion were testing Static Data Authentication (SDA) “chip and PIN” cards in the UK, we used to make our own EMV cards. To do this, we essentially we took valid card data and loaded it onto our own Java cards. These are what we in the business call “white plastic”, because they are a white plastic card with a chip on it but otherwise completely blank. Since our white plastic do-it-yourself EMV cards could not generate the correct cryptogram (because you can’t get the necessary key out of the chip on the real card, which is why you can’t make clones of EMV cards), we just set the cryptogram value to be “SDA ANTICS” or whatever (in hex). Now, if the card issuer is checking the cryptograms properly, they will spot the invalid cryptogram and reject the transaction. But if they are not checking the cryptograms, then the transaction will go through.
You might call these cards pseudo-clones. They act like clones in that they work correctly in the terminals, but they are not real clones because they don’t have the right keys inside them. Naturally, if you make one of these pseudo-clones, you don’t want to be bothered with PIN management so you make it into what is called a “yes card” – instead of programming the chip to check that the correct PIN is entered, you programme it to respond “yes” to whatever PIN is entered. We used these pseudo-clone cards in a number of shops in Guildford as part of our testing processes to make sure that issuers were checking the cryptograms properly. Not once did any of the Guildford shopkeepers bat an eyelid about us putting these strange blank white cards into their terminals.
I heard a different story from a Brazilian contact. He discovered that a Brazilian bank was issuing SDA cards and he wanted to find out whether the bank was actually checking cryptograms properly (they weren’t). In order to determine this he made a similar white plastic pseudo-clone card and went into a shop to try it out.
When he put the completely white card into the terminal, the Brazilian shopkeeper stopped him and asked him what he was doing and what this completely blank white card was, clearly suspecting some misbehaviour.
The guy, thinking quickly, told him that it was one of the new Apple credit cards!
“Cool” said the shopkeeper, “How can I get one?”.
Titanium Dreams
I wrote up that Brazil story back in 2014!There was no white Apple credit card, of course, at that time but it was interesting that the shopkeeper expected an Apple credit card to be all white and with no personal data on display, just as I had suggested in my ancient ruminations on card security. So imagine my total lack of surprise when the internet tubes delivered the news of the new actual Apple credit card launched in California last week. Apple CEO Tim Cook said that the new Apple Card would be the biggest card innovation “in 50 years” [FT]. This seems a little rough on the magnetic stripe, online authorisation, chip and PIN, debit cards, contactless interfaces and so on, but it is certainly an interesting development for people like me.
The story gathered the usual media interest. I saw a couple of reports on the web reporting on “Apple going into banking” which, obviously, they are not. Far from it. The Apple Card issuer is Goldman Sachs (it’s their first credit card product) and the card product is wholly unremarkable. The card looks pretty cool though, no doubt about that. I still don’t know why they put the cardholder name on the front (instead of their Apple ID), since there you go. Apple Card is launching into an interesting environment. The US POS is a confusing place but Apple know their stuff and I am sure that they think they can use the 2% cash back on ApplePay purchases vs. the 1% on chip/stripe to push people toward the habit of using their phones at POS instead of cards. Judging by the sign I saw in an Austin gas station, they may be right.
//embedr.flickr.com/assets/client-code.js
The Apple Card adds security, there’s no doubt about that. The card-not-present PAN and CVV displayed by the app (which can be refreshed) are not the same as the PAN and CVV on the stripe, so you can’t make counterfeit stripe cards with data from the app and Apple uses the Mastercard token Account Update service, so if you give (say) Spotify the CNP PAN/CVV and then refresh it, you don’t need to tell Spotify that you’ve changed anything because Mastercard will sort it out with Spotify. That’s security for the infrastructure and convenience for the customer.
Now You See It
While I was jotting down some notes about Apple Card, I was thinking about David Kwong, the illusionist. He gave an entertaining talk at Know 2019 in Las Vegas and I was privileged to MC his session. I was sitting feet away from him and I couldn’t figure out how he did it. That’s because he is a master of misdirection!
//embedr.flickr.com/assets/client-code.js
I can’t help feeling that there’s a bit of misdirection going on with Apple Card. The press are reporting about the card product, but it’s really not that earth shattering. It seems to me that what is really important in the announcement isn’t extending Goldman Sachs’ consumer credit business or that bribe to persuade apparently reluctant consumers to use Apple Pay at contactless terminals instead of swiping their card, but the attempt to get people to use Apple Cash. Cognisant of how Starbucks makes out by persuading citizens to exchange their US dollars that are good anywhere into Starbucks Dollars that are not, and of Facebook’s likely launch of some kind of Facebook Money, Apple are hoping to kick-start an Apple Cash ecosystem.
You may have noticed that as of now, you can no longer fund person-to-person Apple payments (in Messages) using a credit card. You can still fund your Apple Cash via a debit card. You can pay out from your Apple Cash to a Visa debit card for a 1% fee or via ACH to a bank account for free. They want to reduce the costs of getting volume into Apple Cash and make it possible for you to get it out with jumping through hoops. Given that you can do this, you’ll be more relaxed about holding an Apple Cash balance and that means that next time you go to buy a game or a song or whatever, Apple can knock it off of your Apple Cash balance rather than feeding transactions through the card rails.
And why not? In this ecosystem Apple would carry the float, which might well run into millions of dollars (Starbucks’ float is over a billion dollars), and if it could persuade consumers to fund app, music and movie purchases from Apple Cash instead of cards it would not only save money, but anchor an ecosystem that could become valuable to third-party providers as well. With Facebook’s electronic money play on the horizon, I think Apple are making a play not for a new kind of card to compete with my Amex Platinum and my John Lewis MasterCard but for a new kind of money to compete with BezosBucks, ZuckDollas an Google Groats.
Snippings 