[code4tee]

Sounds like this is more in line with what they did with ApplePay vs traditional credit cards--I.e. They give you randomized IDs each time so the other party can't track you from transaction to transaction. Adds can still appear but they won't know who you are, so it's a direct shot at Google and others looking to give people "targeted" adds based on user behavior. I agree it's an issue that needs addressed. Just because I searched for X two days ago doesn't mean i want to see adverts on X for the next two months.

[abalone]

Apple Pay does offer enhanced privacy by not transmitting your name along with your card number, but it doesn't randomize the number with every transaction. In fact you may not want that as it would disrupt email receipt systems and loyalty programs (absent some parallel mechanism).

Apple Pay does something called tokenization, and the goal is more fraud protection than privacy. It generates one new number at card enrollment and uses that exclusively. By using a unique account number which can only be issued by Apple Pay devices, it means it doesn't matter if someone hacks the merchant and steals your number. They can't use it without the associated Apple Pay generated cryptogram, secured by your PIN / fingerprint.

Honestly the enhanced security of Apple Pay is underhyped. It's really great.

[ianai]

I think I just inched toward using Apple Pay. I've been very skeptical until now.

[archvile]

You should read the iOS security guide portion that explains Apple Pay, the security benefits and amount of thought that has gone into the system are pretty amazing.

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

[digi_owl]

Sounds to me like they basically transferred chip-and-pin online.

Maybe it is magical in the American sense, but i can't say i get the big whoop from the European side of the Atlantic...

[abalone]

Apple Pay is a generation ahead of chip and pin. It obviates the need to enter a PIN which is more convenient and invulnerable to attacks on PIN terminals, which have defeated chip and pin in the past.[1]

[1] https://en.m.wikipedia.org/wiki/EMV

[archvile]

Some merchants I've noticed no matter how much you spend still require a signature, which I don't really understand. Others such as Kroger require a signature if it's over $50 but they don't take Apple Pay.

[Flimm]

What about contactless cards? I personally find contactless cards, common in the UK, much more convenient than having to faff about with my phone, which may be out of battery.

[timlyo]

I find the opposite. My phone is just in my pocket, I pull it out tap the fingerprint scanner and I'm ready. My card is tucked away in my wallet and takes a bit longer.

Admittedly being out of battery is a hard problem, but I chose my phone partly because it has decent battery life.

[abalone]

Two reasons Apple Pay is better than contactless cards. One is security. For purchases over a certain amount, cards make you enter a PIN. This is inconvenient and also susceptible to attack. Apple Pay secures every single transaction with your PIN, made convenient by Touch ID.

Two, if "faffing about" is your concern (thank you for that expression by the way, i'm going to start using it), pulling out a card is not really much different from pulling out a phone. But the Apple Watch supports Apple Pay, and that way you don't have to pull out anything. It's really convenient.

If you're wondering how it works securely with the watch, it's pretty smart. You unlock the watch with a PIN when you put it on. It senses when you've removed it from your wrist, so it just stays unlocked until that point. Therefore all Apple Pay purchases are PIN authorized without having to prompt you for it or a fingerprint. All you have to do is wave your wrist by the terminal and confirm.

[needusername]

Also Apple Pay is always online authorized while contactless cards under a certain amount are often not authorized as a speed hack.

[tomcorrigan]

I am in Australia and we have had contactless payments for years. Apple Pay with an iPhone was more trouble than using a card. On the other hand since I got my Apple Watch I haven't carried credit cards with me. It started out as a 1 month experiment to see if I could survive and it has never been a problem.

[beefsack]

Phone based payments seem to have really failed to gain momentum here in Australia too; we've had contactless cards for a few years now and they've become the norm, using a phone seems to have marginal benefit over that.

[anarchitect]

My understanding is that contactless cards have limit of £30 per transaction in the UK. Apple Pay (perhaps it's the same with Android Pay?) has a significantly higher limit.

[dEnigma]

25 € in Austria. But for higher amounts you can still just hover the card above the terminal and then enter your PIN instead of sticking the card in (at least at some stores).

[Artemis2]

Note regarding Apple Pay: due to the way credit card networks implement network tokenization, online merchants can actually track you across multiple transactions. You get a per-device ID, of which you can have at most 10 per card (for Visa). Ideally, unique payment tokens would be derived from these IDs for each transaction. In reality, the ID is sent along with a random cryptogram for each transaction, leaving tracking possible (on the same device only). This is because these tokens have to be in the same format as card numbers, and the ranges available to issuers are rather limited.

[danudey]

I've had that problem before as well. My wife was going to Mexico and looking for a new swimsuit, and so I was hitting up the SwimCo website. Cue three months of women's swimwear ads from SwimCo – and nothing else. Almost every single ad on every single page was the same ad in different shapes, all of them for SwimCo.

Recently too I've noticed that Amazon is putting ads in my Instagram feed for specifically things that I've looked at on Amazon within the last day or two. I'll literally click a link to a book or do a search, and then four hours later it'll show up in an ad in the app.

Aside from being kind of pointless (I already know about these items, why are you showing them to me later that day?), it's also all kinds of creepy and unsettling to see Amazon advertising six things I've seen recently, and not even on the same device I was viewing them on.

[weavie]

Whats worse is when colleagues at work can look over your shoulder and see everything you are considering buying. Luckily for me my purchasing habits are pretty mundane, but I can imagine this could get quite embarrassing for people shopping for more risky items.

[dEnigma]

Indeed. It was especially awkward after I searched for "Willy Wonka costume", which prompted Amazon to also show me the results for "Willy costume". Some of those items were then clearly visible in almost every Amazon ad and recommendation I received during the next couple of months.

[Darthy]

That's actually not how ApplePay works. You get a new randomized credit card number, but only once. Shops can still track you by checking for the number. You can check that yourself by looking at receipts when you pay with ApplePay - each receipt features the same numbers (most receipt only show the last 4 digits, but they are always the same when you pay with ApplePay).

[jarcoal]

Indeed, I observed this because our local grocer asks for your email address when checking out so it can send receipts there. After providing mine it never asked again.

It would be really cool if it generated new numbers each time and had an amount coded to that number. So when I wave my Apple Pay device over the reader it would display the amount on the device, I would approve, and then a number would be handed back that's only good for that amount.

[ljoshua]

Is it a randomized number per card per merchant, or just a randomized number per card?

[Darthy]

It's a randomized number per original card. Every merchant sees the same number. According to some other poster, if you have several devices (like an iPhone and an Apple Watch), then you get a new number for each device.

So, not only can a single merchant track you, but all merchants can cross-reference the data they have about you and track your whereabouts, purchasing habits etc. They just don't know who you are anymore, because that information is not transmitted. Unless one merchant asks for your email or home address, and this merchant then adds that email to a shared database, at which point we're back to step 1 and the merchants know everything about you.

[stirlo]

Or you just use any kind of loyalty card/ account when making a payment using apple pay even once. :( I didn't realize it only randomized once and am now disappointed in the way apple marketed it.

[djrogers]

It's per-device/per card, so your Amex gets a different number on your iPhone, watch, and MacBook, as will your visa.

[needusername]

Nothing about the new PAN is randomized. It's valid PAN pointing to a dedicated, valid BIN range and has a valid Luhn checksum.

[MadWombat]

"Just because I searched for X two days ago"

But would you rather see ads for something you might be interested in (however tangentially) or something completely random? Personally I prefer the former, as long as there is some basic sanity filtering involved.