The biggest difference is that no internet connection is required for the authentication because the bank trusts the user's device. CC number is randomized per transaction so that the merchant does not receive the real CC number.
I've seen cases contactless payment is not supported only for a particular brand and I believe it's because of missing software update on the payment terminal.
Honestly apples approach is pure security theater, as they're not an acquirer that process the transaction at the end.
Instead the real acquirer now reverses apples masking.
The merchants themselves aren't allowed to store the credit card information anyway, otherwise they'd lose their PCI certificate, losing the ability to process credit cards. And if they use a payment processor, then they didn't ever get in contact with the credit card information either.
No clue how/if Google does anything. I was just involved in implementing apple pay at a payment processor that was also an acquirer a few years ago. Ultimately, we've had the same information on the consumer, wherever they used Apple pay or just a regular credit card
I am not an expert in this so I can't explain it in any truly deep detail, and you might be right in terms of "Masking" the identity of the card number if you think this is a privacy feature, but there is much more to it than security theater of a per-device DAN.
Both when using EMV Contactless and when using Apple Pay on the web, some kind of dynamic and/or encrypted data is signed by the secure element of the device. EMV Contactless definitely signs the whole transaction, with Apple Pay on the web in at least some cases it will use either a dynamic CVV code and/or "cryptogram" containing the transaction data similar to the contactless protocol that verifies that specific payment request was signed by the secure device/card.
The payment processors can use this to know the transaction is freshly authorised and is not a replay of a skimmed credit card number/CVV (whether skimmed from another apple pay transaction, or skimmed from entering the static physical card details).
On the merchant/processor side, I believe in some cases you may get a better rate or different fraud protection for such transactions (especially at a large scale), or, it will also factor into the fraud control and the bank/payment network/etc are less likely to reject such a payment as fraud where as it may be more likely to reject the static physical card details as fraud, etc.
If someone knows better or different then please do share.
> EMV Contactless definitely signs the whole transaction, with Apple Pay on the web in at least some cases it will use either a dynamic CVV code and/or "cryptogram" containing the transaction data similar to the contactless protocol that verifies that specific payment request was signed by the secure device/card.
The same is true for chip card payments.
What makes Apple Pay significantly more secure in practice is that issuers can limit the device-specific card number to be only usable with a chip cryptogram, and not e.g. by manually typing it in on a website.
For POS and online payments, the idea was the same (eventually depreciate cryptogram-less use entirely and use 3DS online and chip/EMV at the POS), but alas, it never quite happened that way.
> On the merchant/processor side, I believe in some cases you may get a better rate or different fraud protection for such transactions (especially at a large scale)
Apple Pay usually shifts the liability for fraud to the issuer, yes. This is a huge advantage for merchants that would otherwise usually be on the hook for most types of fraud.
> What makes Apple Pay significantly more secure in practice is that issuers can limit the device-specific card number to be only usable with a chip cryptogram, and not e.g. by manually typing it in on a website.
That's sort of true for non 3DS enabled cards. For 3DS enabled cards, you need a second factor for most transactions on the internet.
> For POS and online payments, the idea was the same (eventually depreciate cryptogram-less use entirely and use 3DS online and chip/EMV at the POS), but alas, it never quite happened that way.
where I live it happened exactly this way since a few years. Online is 3DS only and in person is chip/EMV only
Can you not use your card in US online stores? These mostly don’t support 3DS, so there is still a large fraud vector for compromised cards that work internationally.
Apple Pay is also somewhat different from contactless/chip payments on a card because it's authenticated, whereas (US at least) cards are not authenticated since we don't use PINs.
IIRC in some countries this means it's accepted more or has higher payment limits.
A physical card usually uses the number embossed on the plastic on all other channels (i.e. magnetic stripe, chip, contactless) as well.
That's not a hard rule – some cards have no number embossed/printed at all (e.g. the Apple Card), and it's technically possible to use different numbers. But I haven't really seen it done since it could cause quite some confusion, as e.g. some airlines use the card number to look up your online booking at self-check-in machines, which wouldn't work if the two differ.
There are also some special cases of things that are technically regular old smartcards but that do (I believe) use tokenization/DPANs, like wearable form factor contactless payment devices by Swatch or Fidesmo.
My bad. I read the article but I must have skimmed past the section about DPAN being randomized because I don't remember seeing it. The majority of my attention went the last part about personal details where I thought it was pretty obvious. Short attention span.
I would give them a pass because the demo demonstrates that the windows ARM-to-x64 is mature enough for AAA games (assuming they are not cherry picked). The lack of performance is disappointing but their new chip is competing with base apple silicon and Intel/AMD integrated graphics so it's not egregiously bad or anything.
If you use your laptop as a laptop, the ideal charging habit is 100% and stop worrying about it. You paid for 100% of the battery, you want to use 100% of the battery. It doesn't make sense to artificially cripple the product to extend the life of the device for a questionable period.
Unless it's a desktop with ups, in which case it should stay at 50%-80%.
Yes, Tim Cook could flip a switch and my mac would become activation locked. Considering that Windows 11 has been working really hard to sneak remote attestation below our noses (and other stuff), I think it's safe to cross out Windows as well.
As long as Microsoft wants to keep Windows compatible with user-controllable hardware (like computers that let you disable secure boot and TPM or enroll custom keys), there should always be a way to debloat Windows.
Microsoft doesn't care that much about user-controllable hardware, not as much as they used to. Their partnerships with OEMs have grown very deep and they managed to push Pluton for any device that wants to be certified for W11. They could go a few steps past this in a few short years.
True, Windows will never be as locked down as macOS that only runs on Apple designed custom ARM hardware. I guess my skepticism comes from my expectation that my Windows computer should be able to run games (unlike my macbook which holds personal data and work), and remote attestation is going to be used first in anticheats.
Now that their MacBooks come with 120hz screens with acceptable response time (unlike their early 120hz screens), the value proposition for hackintosh isn't as alluring for me. Previously, I've been worried about the T2 chip and the trend of Apple locking down MacOS, which also turned out to be less of an issue that I thought. The only area that saw significant retreat in macos is gaming.
> The only area that saw significant retreat in macos is gaming.
Mac gaming is probably getting better thanks to wine, crossover, GPTK and Whisky [1]. I am not a gamer but I have seen others playing serious Windows games like FF7 remake (not sure if that counts) on mac.
The problem is, significant portion of "real games" used to run on macOS, and all PC games used to run on BootCamp. Now native mac games are all but extinct and cross-platform toolkits seem to be very hit and miss depending on the games (for now).
Sure, nothing beats bootcamp but that is not strictly macos. Apple's GPTK released last year seems to have greatly advanced gaming compatibility. Probably lots of games still don't work but it looks promising and is getting better. Hope Apple can continue to put resources into that.
I do hope that they would steer some of their resources from Apple Arcade into cross platform porting toolkits.
I think the fundamental problem still remains that games unlike softwares are media and cannot be substituted with equivalents. By pushing their proprietary tech and neglecting native macOS ecosystem over the years, Apple has willingly pushed themselves in to the same corner as with console makers where they cannot compete with the value proposition of PC because of the overwhelming majority of exclusive titles that only run on PC. It's either all or nothing in terms of game coverage, because that's what ultimately allows consumers to "buy one device for (mostly) everything" for a hobby that takes significant upfront investment unlike netflix and hulu for example.
On the subject of copy pasting, does anyone else use the browser's address bar as a quick way to get rid of line breaks? Ideally, I would prefer a less janky way but I do it too infrequently to justify a dedicated program.
Back when I used Windows I used AutoHotKey to do things like stripping formatting, removing line breaks, or whatever I found myself wanting to do frequently. It’s an extra program, but not dedicated to that one feature, I had it doing all kinds of stuff over time.
HammerSpoon on macOS can likely do some similar stuff, but not as powerful, in my limited use of it.
I’m not sure if there is something similar for Linux, I assume so.
As someone that has used M1 Macbook Air for a few years, I can confirm that this is absolutely non-issue unless when you compile for an extended duration.
I've seen cases contactless payment is not supported only for a particular brand and I believe it's because of missing software update on the payment terminal.