Apple Pay vs Google Wallet : Lost and Stolen Scenario

Note: You can read all articles in this series by visiting the Table of Contents

Both ApplePay and Google Wallet give very good attention to security. In fact we can even make a blanket statement that almost all mobile wallet services are at least slightly more secure than the traditional Magnetic Stripe cards, but to be honest, that is not a correct comparison. Today, we are trying to disrupt the payment industry through innovation and modern technology. In the process we should strive to achieve unprecedented levels of revolutionary security, not just an evolutionary next step.

ApplePay and Google Wallet are both focussed on achieving that. Both of them deal with security at all levels within the payment lifecycle without compromising convenience to the consumers. Today, let’s talk about some similarities and differences in their security strategy when it comes to Lost and Stolen devices.

Traditionally, when we lose our physical wallet, our immediate next step is to identify all the credit cards, debit cards and stored-value cards we had in that wallet, call the respective bank’s customer service phone numbers one by one and report it as lost or stolen. It is a tedious and very involved job that no one ever likes. Between the time we realize that our wallet was stolen and the time we report it to the Issuers, we can only hope that it has not been misused for fraud. Even after the card has been reported stolen, there is still a chance of misuse based on offline transactions that is common is some places. Liability clauses aside, it is the duty of the consumer to report any suspicious activity in their account and that is another painful task. Even if we assume that the consumer is fully protected, the fraud in general has taken place and someone in the payment ecosystem is bound to lose, not the fraudster.

Now, let’s consider the scenario where you have lost your Google Wallet equipped Android phone or an ApplePay equipped iPhone with multiple payment accounts stored inside it.

Unlike our physical wallet, which does not come with a lock and key, Google Wallet is protected by a PIN that only you know. In ApplePay, the wallet is protected using Touch ID (biometric fingerprint authentication), which only you have. A low-tech thief will not be able to breach even this first level of security. They will not be able to use any of the cards stored inside our wallet even though they have the wallet in their hands. I guess, they will just have to be happy with their new and shiny smartphone.

Once you realize that you have lost your phone, you don’t have to panic trying to remember all the cards you had inside it and trying to find their customer service numbers and so on. Of course, you have all the rights to be unhappy that you lost your expensive phone, but that is a different discussion. You can easily go to Google Wallet website and mark your wallet as lost or stolen with just a couple of clicks. Similarly, you can go to Apple’s iCloud website and put your phone in Lost mode. In both cases, if and when your phone comes online, it will immediately be placed in Lost mode.

For a moment let’s assume that the fraudster is not as low-tech as we thought and somehow circumvents the first level of security (PIN or Touch ID). Now that we have put the phone in lost mode, we have enabled the second level of security. In case of Google Wallet, the phone will refuse to make any payment transaction even if they hacked the PIN. In case of ApplePay, the tokens stored inside the embedded Secure Element will be erased thereby making it impossible to perform a payment transaction even if they have hacked the Touch ID. This second level of security makes the wallets doubly secure.

Once you have completed the above simple and straight-forward step, you are pretty much safe. You don’t even have to call your card issuer banks at all. In fact, you can continue to use your payment cards as usual without waiting for a new card to be posted via snail mail. This is pretty cool. But, just in case you want to be triply sure, you can always call your card Issuers in your leisure time and report them lost or stolen. If you do that, your physical cards will be blocked and you may have to wait for your new cards to be issued before making any new payment transaction. It is not necessary to perform this step, but it is always there if you need it.

Earlier, while discussing the lost mode for these mobile wallets, we blissfully ignored one important scenario. The lost mode can be communicated to your mobile wallet only if your phone is online. If your phone does not come online, neither Apple nor Google will be able to propagate the lost mode to their respective wallets. What if our high-tech thief makes sure that your phone does not go online after stealing it? Technically, this compromises the second level of security. If (a big If) they were also able to hack the first level of security (PIN or Touch ID), then it may seem that they are all set to steal our money. Let’s analyze this scenario in the context of ApplePay and Google Wallet.

In the case of ApplePay, the assumption is that, biometric fingerprint authentication is strong enough and cannot be broken. That is the reason why ApplePay does not allow for PIN based authentication of payment transactions because they consider it as technically less secure. In the rarest of scenarios where the fraudster is able to successfully crack the fingerprint auth and also successfully makes sure that the phone cannot be put into lost mode, then there is an open loop hole that can be exploited (unless I am missing something). In this scenario, we always have our last resort (third level of security) of locking our physical cards though.

In the case of Google Wallet, we cannot assume the PIN to be as strong as biometric fingerprint authentication. Moreover, it is also possible to configure Google Wallet such that it does not prompt for PIN for a certain time-period. This leaves a hole in security if your device is lost during that time-period. But, Google has one more trick up its sleeve. Unlike ApplePay, where a payment transaction never enters Apple’s servers, Google wallet’s cloud server does come into picture when a payment transaction is conducted. Google has to authorize a transaction in transit. So, technically, even if the fraudster does not allow the phone to go to lost mode and successfully cracks the PIN as well, at the end of the day, the transaction has to pass through Google wallet’s cloud servers. Since we have already placed the wallet in lost mode in the server (although it is not yet propagated to the physical phone), the transaction will be rejected by Google at the server side. The fraudster can do nothing but be shocked after all the hard work he has done trying to steal our money.

In conclusion, for lost/stolen device scenario both ApplePay and Google Wallet offer multiple layers of security. Some may consider ApplePay’s biometric auth to be more secure, while others will think that Google Wallet’s server side auth is a better strategy. Technically both are sound and revolutionary. We will just have to wait and see which one stands the test of time in the real-world.

Related Reading:

 
 
Mobile Payments: What is Apple Pay?
 
 
Apple Pay – An attempt to demystify – Take 2

Ganeshji Marwaha

I spend my days as the Director of Technology for Mobility practice and help my clients design enterprise and consumer mobile strategies. Mobile Payments, Digital Wallet and Tokenization technologies are my areas of specialization
  • Darcy Tsai

    Thanks 4 ur useful analysis

  • NDH

    This is really good! Ty!

  • Justin Eltoft

    Hi Ganeshji,

    Thanks for writing your blogs on mobile payments. They are very informative and interesting. One question on this one here about apple pay. You mention ApplePay has the open loop for second level security if the phone is kept offline. But per this link on ApplePay they seem to maybe say that’s not the case. Can you clarify? Is Apple able to cancel the “virtual” credit cards even with the phone offline because the cards can be cancelled on the payment terminal side?

    From http://support.apple.com/en-us/HT6323
    ——————————————————-

    “If you turned on Find My iPhone on your iPhone 6, you can simply suspend Apple Pay by placing your device in Lost Mode using Find My iPhone instead of immediately canceling your cards. You can also permanently remove the ability to pay with Apple Pay using the cards on your device by erasing the device remotely using Find My iPhone or Removing All Cards by going to iCloud.com/Settings.

    Your cards will be suspended or removed from Apple Pay by your bank or the respective payment network even if your device is offline and not connected to a cellular or Wi-Fi network. You can also call your bank to suspend or remove your cards from Apple Pay.”

  • Hi Justin,

    That is a very valid question. I did look into the same scenario when i did my research to write this blog. Apple has some contradicting statements on their website regarding this, or at least it seems contradicting to me.

    Look at http://support.apple.com/en-us/HT6534. Here it says that the payment instruments will be removed even if your device is offline when you use “find my iPhone” feature.

    Look at http://support.apple.com/en-us/HT201472. Here it says that none of the actions will be propagated to the phone if the phone is offline when you use “find my iPhone” feature. It will be propagated only when the device comes back online.

    In fact, i was planning to write a follow-up post about this contradiction. Do you have any thoughts on what I may be missing here?

  • sonoran

    This is the understanding I got from reading Apple’s technical description of ApplePay:

    = When your card is setup all Card info (PAN, CCV #, exp date) is erased from your phone and from Apple’s servers, except for the last 4 digits of your PAN which is kept by Apple to identify you. Also removed is any image of your card taken during setup.

    = Your issuing bank provides a device code that is associated with your credit card account and transmitted to and stored in the secure chip on your phone, along with two encryption keys. This is essentially an abstraction layer that keeps your actual credit card info completely out of any transactions using your phone.

    = When a payment is processed your encrypted device code and an encrypted one-time transaction code are transmitted via NFC to the terminal. The bank then checks to make sure the device code is valid and the transaction code is one that could be validly generated by your device.

    = When you alert Apple that your phone is lost, the device code is deactivated so any transactions arriving with that code will fail at the bank. This can be done by phone call or via the web.

    = Because only the bank has your actual credit card info, there’s no point in deactivating your card if you only lose your phone.

    I don’t know much about wallet, but it seems that Google stores your credit card information on their servers. So Google serves as a clearinghouse for your transactions whereas ApplePay seems to leave this to the bank.

    So Google’s security depends on the how secure their servers are, and how secure your bank’s server are. ApplePay only depends on how secure your bank’s servers are.

  • Hi sonoran,
    That is correct. In this case of Google, there are two cloud servers (google and bank) that could be targets for attack, but in ApplePay’s case it is just one (bank). The disadvantage could be that it is another point of vulnerability. The advantage is that, disabling a payment instrument in the wallet does not need the mobile phone to be online.

  • sonoran

    Your last sentence implies that Apple Pay does require your phone to be online, but from what I read it doesn’t, the following from Apple’s FAQ on Apple Pay:

    “What should I do if my iPhone or iPad is lost or stolen?”

    “With Apple Pay, you authorize each purchase with Touch ID or your passcode. These features help prevent other people from using Apple Pay on your iPhone or iPad.

    If your iPhone or iPad is lost or stolen, you can go to icloud.com/find or use the Find My iPhone app to suspend or permanently remove the ability to pay from that device with Apple Pay. Your cards will be suspended or removed from Apple Pay even if your device is offline and not connected to a cellular or Wi-Fi network. You can also call your bank to suspend or remove your cards from Apple Pay.”

  • Yes, that is what I am saying based on the logic that, information about the phone being “lost or stolen” needs to be communicated to the phone first. To receive that communication, the phone needs to come online.

    I see where you are coming from, with ApplePay docs. I did respond to “Justin”s comment earlier regarding the same documentation.

    Look at http://support.apple.com/en-us/HT201469 Here it says that the payment instruments will be removed even if your device is offline when you use “find my iPhone” feature. (Similar to the FAQ you point out)

    Look at http://support.apple.com/en-us/HT201472 Here it says that none of the actions will be propagated to the phone if the phone is offline when you use “find my iPhone” feature. It will be propagated only when the device comes back online.

  • Random Observer

    Yup but doesn’t matter whether the device is offline. the payments will still not work…
    look at https://support.apple.com/en-us/HT201469
    “Can I continue to use my plastic credit or debit cards if I suspend or remove my cards in Wallet?

    When you suspend or remove your cards in Wallet, your device-specific Device Account Number is suspended or removed. You can continue to use your plastic credit or debit card.”