Monday, September 9, 2019

Apple Titanium Card

I have been waiting for the delivery of my Titanium Card to be delivered to write this evaluation.  Read it in the context of my last post.  

The card is delivered via FedEx in a large envelope.  There is a return address but it does not say "Apple."  This resists theft of the card in transit.

Inside the FedEx envelope is a tamper evident 4.5" x 6.25" x 0.25" corrugated cardboard package containing the card.  This protects against tampering with or skimming the card in transit.  

While a signature is not required for delivery, one gets a notification of delivery.  This may narrow the window of opportunity for theft from the doorstep.  

Only after receipt does one see the button in the Wallet App to "activate" the card.  This resists any use of the card prior to receipt by the legitimate owner.  

While the owner's name is on the face of the card, the card number, expiration date, and the CVV are not.  While the number is on the magnetic strip, unlike with all other cards, it is different from the number that one would use at an e-commerce site.  Thus, the only way that one might monetize knowledge of the number would be to use it to counterfeit a card.  

Note that any fraudulent use of the number on the stripe will show up immediately on the owner's iPhone so that the transaction can be reported as fraudulent and the number can be reported as compromised.  Skimming the number and counterfeiting a card for one or two uses is a high hurdle.  

The value on the magnetic stripe, provided for backwards compatibility, on a card which will be used sparingly, is a limited vulnerability.  From a security perspective, consumers should prefer Apple Pay (using iPhone of Apple Watch), EMV, manual entry of the number (from the iPhone Wallet App), and swiping the magnetic stripe in that order.  While the magnetic stripe is more convenient than manual entry, many users may never have to use either.  As point of sale devices are modernized, the requirement for any alternative to contactless or "chip" will decline.  

Finally, in the app, one can disable and enable the card.  Thus one can carry the card while mitigating the risk of fraudulent use should it be lost or stolen.  Since I expect the use of the Titanium card to be sparse, mine remains disabled by default.  Others may choose to leave it enabled by default, disabling it only should it be lost or stolen.

The vulnerability of the number on the magnetic stripe is not limited to the Titanium card; so far it is not possible to get any other credit card without this vulnerability.  On the other hand, the Titanium card does not have the vulnerability of having the primary account number, the expiration date, and the CVV on the face.  Therefore, if one is going to carry a credit of debit card with a number in the clear on the magnetic stripe, the Titanium card is the clear favorite.  

(Incidentally, I convinced myself.  I got the Titanium card, intending to put it in the drawer and never carry it.)

No comments:

Post a Comment