Apple Pay & Wal-Mart – Consumers’ Best Interests or Marketing Data?

I don’t expect everyone to know the nitty-gritty details behind what makes “Apple Pay” so great - heck I'm still learning, but I know just enough to understand this really is ground breaking and innovative technology.

No, NFC isn’t ground breaking, it’s been around for a while now. But how Apple is utilizing it is the smartest implementation of it yet.  My opinion.  And yes, it all comes down to security.

You need to ask yourself “what is security to me?”  You need to ask yourself what do I really care about - and that answer is going to give us the limit to what you know and care about. That’s a brutal statement, it was brutal to think up and it was brutal to relay.  Hopefully it came across adequate enough to press the point.  I guess I’ll put myself on the burner and reveal my paranoia out of ignorance and a little bit of truth I’ve grabbed over the years working in the IT Security world.

Security is beyond your credit card data and your banking information.  It’s your identity too.  Just because ‘you’ don’t know what a bad guy can do with bits of your information doesn’t mean what they can do with it is any less real.  With enough time and effort, anybody can work hard enough to get the information needed to get to your funds.  This can be called OPSEC which (IMO) is the #1 way of getting to someone.  Disclaimer:  OPSEC is not the right acronym here.  OPSEC is used differently; however, I disagree with how my industry views OPSEC.  I think OPSEC-ing someone is nothing more than the root behind all phishing schemes that come across in different mediums (email being a great example). I think with enough information on one’s privacy and details is what ultimately leads to the most effective way of getting ‘just enough’ information to take to a dumb kid working at a bank, calling them up, relaying just enough information (obtained by OPSEC), to gain that dumb teenager’s trust, and then they social engineer that dumb kid into your account information.  Dumb teenagers could give two rat asses when it comes to their jobs and your life.  Sadly, they’re everywhere.

This happens every, single, day.  That, my friends, is a fact.

Does privacy play into this?  Yeah, it does.

America is the only country that has little to no privacy laws.  You may have seen/read about Google’s woes overseas.  The UK in particular has taken to doing some ‘funny’ things to Google Street View cars.  You don’t hear too much about that here in the US until Google has done something ‘newsworthy’.  But America? Noooo, America has little to no privacy laws.  What this allows is for retail stores to sell your data to a marketer.  This is nothing new, this is just one reason you have junk mail, (which seems to be getting worse?).

marketing dataThis is Apple Pay’s (and now Google Wallet’s) issues.  The retailers want to control your buying so they can continue to sell your data to marketers.  See, with Apple Pay, the retailer loses out on being able to easily offload that data to a marketing group. Apple Pay’s method removes the retailer from being responsible with your data.  From a security standpoint, that’s awesome.  Think of the recent Target or Home Depot breaches.  They were huge.  Now, because your transactions are completely removed from the store’s systems, you are more or less much more secure than you ever were.  Remember this factoid… most identity theft and fraudulent credit card charges are because the person handling your credit card data (in this case the retailer) has lost its data - not the credit card company.  Apple Pay removes this, and the big retailers want it back.  You see, being able to market your data is more important to them than them being on the hook for losing your credit card data.

Isn’t that sad?

Yet this is the norm anymore and we’ve become desensitized to it.

Some would say… "So yeah, you got OPSEC and you got privacy, and you got how your privacy is violated by retailers… how does that play into OPSEC, social engineering or identify theft?"  Well here’s my paranoia based off working in IT Security. Your data, your information that is used for marketing is and has been, at risk with your retailers for a while now. The more information I know about you the better I can socially engineer you or a bank, etc., into giving me either more information to steal your money information behind your back, or I can build confidence and just take it right in front of you.  This information and data would potentially go away with Apple Pay.

My point to all of this?  Apple, the credit card companies, and some retailers “get” Apple Pay and how it serves the customers' data.  It's protection at a finger’s touch.  Most importantly, it allows the credit card companies to have an extra layer of security around their pieces of plastic, AND it takes the hook off of the retailers to keep your data secure.  That’s huge.  But the retailers are going to lose your data/privacy info. and can no longer sell it to a marketing firm.  Obviously some retailers don’t care about you personally, but rather, what they can make off of you beyond the merchandise they just sold you.  They want to have their cake and eat it too, at our expense.  Target, Home Depot, Michael’s, etc., are just the start.  This is going to get worse before it ever gets better.  Apple Pay would have limited the bad guys’ efforts and their attack vector.  Now they continue to have multiple areas of attack vs. only a couple.

These retailers' solution is bad, apparently.  I don’t have all the details, or enough to really knock their efforts, but I do know enough about Apple Pay and the Payment Card Industry to know how good it is and that these retailers deliberately preventing Apple Pay is a really, really bad thing.  Technology doesn’t have to come in a shiny new device with curved glass as an interface. Apple Pay was Apple’s biggest innovation since 2007’s iPhone.  Too bad the world has gotten even more greedy since then to try to ruin it.

steve jobs phoneI would love, maybe-enough-to-sell-a-kidney-love, to have ol’ Steve Jobs around, and get his take on the retailers acting like idiots.  His statement would be so candid and brutal, and in a couple dozen words or something.  Tim Cook was too political and “pc” with his public reply to the situation.  Steve would have put companies in their place and made them all look really stupid, all the while getting the press on his side.  If Apple wants to win this, they better be putting that stock pile of cash into some well organized marketing.

The above is ‘my’ understanding of things based off of reading and working in the biz for a while now - and I am probably not 100% correct on every single thing. I ‘want to be wrong’ here.  I want my data to stay safe where it exists, and the safest way is to not have it sitting on some system somewhere that is outside of my control.  Corporations are dumb.  Bad guys are smarter than them.  Here’s a real ignorant statement I heard by someone in my company:  “bad guys aren’t trying to steal your data eight hours a day”.

Um, yeah they are.

Well maybe it’s not eight hours a day, maybe it’s six or maybe it's ten - just not “eight”.  BS.  Bad guys/thieves make their living trying to steal from you.  They have the luxury of thinking of wild ways to get to the data they want, and they are successful.  These people are opportunists and are so much smarter than you and me regarding this because they devote their day to thinking how to penetrate a system.  This field varies in its intelligence.  From the rookie script kiddies to the serious people in organized, or state funded, groups we’ve yet to really uncover.  With Apple Pay, their jobs would potentially be more difficult. Not impossible, but harder.  Walmart pretty much said, "Nope, we know best".  Again, BS.

On a side note, I’m serious when I say this… I’ve seen some really bad stuff in the last year with credit cards.  Not necessarily related to my company - but because I'm in the field, I get data that a lot of people don’t get immediately.  By the time the press will have received the same data, people have already lost interest.  I'm not really afraid of being ‘hacked’, but I know enough how big corporations are handling my data.  The law of statistics are clearly at play.  It is not a matter of “if” your identify will be stolen it is a matter of “when”.  It’s not like Home Depot has my social security number, but the data they have could be enough to ascertain that social security number from somewhere that does.  Stories like in the link are really depressing to me.  Here Apple gave us a model for how NFC should be used and retailers will have nothing to do with it because they lose a limited amount of revenue.  I really hope it doesn't come down to all of us having to pay cash just to play it safe.

That would just suck.

Comments are closed.