Apple Pay is an easy and secure way for iOS users to pay in stores or online — all they need to do is tap their phone or Apple Watch against a card reader or select an in-app payment option. Despite its convenience, some users have concerns about using this service. To right some misconceptions, let’s see what makes Apple Pay a safe alternative to using physical cards.
Contents:
How safe is Apple Pay?
Apple Pay is considered a secure payment alternative for iOS users. It has built-in security features that ensure protection for sensitive financial details and prevent this data from being exposed to external parties.
When you add a new card to your Apple Pay, its information is protected with end-to-end encryption and forwarded to the Apple servers. Apple then decrypts this data to determine your card’s payment network and uses a key issued by this network to encrypt the data again. Only your bank can use this key to decrypt your card information.
Once your card is verified and approved to be used by Apple Pay, your bank generates a unique representative number known as the Device Account Number. It’s stored within your device’s secure element — a special chip used for financial processing — meaning that if you need to switch phones, your bank will issue a new Device Account Number. This number isn’t backed up to the iCloud and can’t be viewed by Apple, making it extremely hard for cybercriminals to compromise.
The core security feature of Apple Pay is tokenization. Instead of revealing your card’s actual number, Apple generates a new token each time you make a transaction. The token expires once the transaction is complete, ensuring that even if a cybercriminal were to access this data, it would be unusable.
To connect a bank card to Apple Pay, you need to enable biometric authentication. You can use a passcode, Face ID, or Touch ID to verify your identity whenever you use Apple Pay for transactions.
The combination of biometric authentication, robust encryption, and tokenization creates a strong protective layer for your card data, making it less susceptible to external attacks and data breaches. Furthermore, unlike a physical contactless card, which uses RFID that can be scanned without the owner’s knowledge, Apple Pay uses NFC and requires user verification to process payments.
Addressing real-world security concerns
Despite the robust security dedicated to protecting financial information, some users might be apprehensive about setting up and using Apple Pay. After all, phones get stolen, and phishing attacks can be tricky to spot. Let’s look at some potential risk scenarios and how Apple has addressed them.
What happens if an iPhone is stolen?
If you’ve set up Apple Pay on your device, you might be worried that if your phone gets stolen, the thief will be able to waste your funds and access your financial information. However, Apple has developed protections against this. Even if a criminal managed to unlock your phone and open your Apple Wallet, they’d see the Device Account Number instead of the physical card information.
Your Apple Wallet is protected either by a passcode or biometrics like Face ID. If you use a passcode, the criminal may try to brute force it. However, if you’ve protected your device with biometrics, they won’t be able to unlock your Apple Wallet without your authentication. All payments made via Apple Pay also require authentication, restricting attempts to make unauthorized transactions.
If you’ve noticed that your iPhone or Apple Watch with Apple Pay was stolen and you use the “Find my” feature, you can remotely suspend the service and erase any cards stored in your Apple Wallet when you activate “Lost mode.” This prevents criminals from discovering and accessing your card.
The problem with Apple Pay scams
Direct hacking is generally not a common threat against Apple Pay. Instead, most users are more likely to be targeted by social engineering attacks that aim to steal their financial information.
Scammers can send phishing emails, fraudulent text messages (also known as smishing), or call you from unknown numbers pretending to be Apple Support. They can inquire about information like your full Apple ID, account password, and Device Account Number. Using this information, they can log in to your Apple account and attempt to override your device access.
Using this information, hackers may try to clone your device to access your Apple Wallet. However, such scams are complex and rare. It’s more likely that criminals would breach your Apple account, but even with the given information, they wouldn’t be able to use your Apple Pay without physical access to your iPhone or Apple Watch, which stores the Device Account Number.
Can card skimmers read Apple Pay?
No, card skimmers can’t read Apple Pay the way they read physical cards. Unlike your standard credit or debit card that uses RFID, Apple Pay uses NFC. It transmits an encrypted, tokenized code that can only be decrypted by your bank. When scanned, it doesn’t reveal your card details and typically requires additional confirmation, like entering a passcode or using biometrics, to verify the transaction.
Card skimmers are a common scam tactic used on contactless payment cards. If you carry around a card in your wallet or hold it in your hand, a nefarious passer-by can swipe a card skimmer to drain your funds and steal your card number, CVV, and expiration date. In some cases, if you attempt to pay on a compromised card skimmer, it may be able to extract your card’s PIN as well. Physical card information isn’t encrypted, making it a more vulnerable payment option compared to Apple Pay.
Apple Pay and privacy
Thanks to Apple Pay’s focus on maintaining a high level of security for your card details, it protects your privacy as you pay in stores or online. All transactions are private, and merchants are unable to see your card information, making Apple Pay a safe option for online purchases. Any merchant you buy from can only see the Device Account Number tied to your Apple Pay, while your actual card number remains encrypted.
The Apple Wallet app also maintains privacy for your financial information. If you check your card in the app, you can only see the last four digits of the Device Account Number, while your physical card information remains encrypted and stored on the iCloud Keychain. The physical card information is not used for any Apple Pay transactions.
Best practices: How to make Apple Pay even safer
Although you can safely use Apple Pay for purchases and quick payments, it’s not a completely foolproof solution for secure transactions. You can add a few extra security measures to protect your financial information more effectively.
Set up a complex device passcode. If you use a passcode to protect your Apple Pay access, make sure that instead of a simple, four-digit PIN, you use a stronger combination. Consider an alphanumeric combination and make it at least six characters long.
Don’t share your device passcode with anyone. Knowing your passcode allows others to unlock and access your Apple Pay. Keep in mind that Apple Support will never ask for your passcode, and any party that asks for it likely has bad intentions.
Switch to biometric authentication. A weaker passcode may be susceptible to brute-force attacks. To prevent unauthorized access to your iPhone, consider switching on Face ID or Touch ID to secure your Apple Pay details.
Use two-factor authentication (2FA) for your Apple ID. If someone were to steal your Apple ID credentials, having two-factor authentication set up helps protect your account from being compromised. Use an authenticator app or biometrics as your authentication method. Don’t use SMS authentication because this method is prone to SIM swap attacks.
Switch on “Find my” on your device. “Find my” is a built-in feature that lets you detect your Apple device in case it’s lost or stolen. Having this feature switched on allows you to remotely set your device to “Lost mode” and suspend or delete sensitive information.
Keep your devices up to date. Install security updates as they appear. They help fix software vulnerabilities and ensure your device remains resilient against security exploits.
Bottom line
Apple Pay offers a secure and reliable way to pay for online purchases, in-app transactions, and at physical locations. It prioritizes your privacy and is resilient to many common financial attacks.
However, not all platforms support Apple Pay as a payment method, which might force you to use your unencrypted card details. This can expose your financial information to data breaches. To give your financial security the attention it deserves, check out NordPass Premium.
With the NordPass Data Breach Scanner, you can set up 24/7 automatic dark web monitoring for your credit cards and email address. If the scanner detects any matching compromised information on the dark web, it alerts you immediately.
NordPass also allows you to store your card details in the end-to-end encrypted vault, keeping it secure and synchronized across your devices, whether you’re using an iPhone, Android, or a browser extension. Any time you need to pay online, you can autofill your card details with a single click. Keep your shopping simple and your credit card secure.