Never mind, to use it on Mac you need to verify using the PIN number, which btw is also the case when using Apple Pay on the watch. So the token definitely isn’t stored on their servers.
Cards that you add directly on device is not added to your Google account. Just recently I've encountered this after wanting to pay online with a card added on my phone and it wasn't in the list.
I was informed by a GPay representative in Malaysia that GPay and Google Wallet is 2 separate things. Both might be offered in your country or just one of it or none at all. Google Wallet is where you store your credit card info, passes, tickets, or anything that could be sync with it. GPay is where the payment take place.
Okay several followup questions: 1. What's the difference between the token used by iOS vs Android? You mentioned Apple Pay uses a DAN while Google Pay uses a DPAN, but never really clarified how they differ. 2. If this token is a secret, then why does the device provide the payment token to the PoS during checkout? Wouldn't that be vulnable to a compromised PoS or MitM attack? 3. This feels like an ideal use case for public key cryptography. Why not have the bank issue a private key to each device for payment authorization, and then the payment authorization flow would just involve signing the transaction with the private key?
That is how I would imagine it would work. Private key would be stored in the device, tokens are generated and signed with that key with addition to expiration date and perhaps vendor id so if it stolen it is useless.
Thank you for the questions. For 1, we don't think the exact token specification is that interesting. The payment token is a proxy for the actual card number, and it is tied to the device. The sensitive part is the mapping from the token to the card number, and it is stored in the token service provider. For 2 and 3, if you are interested, look up the EMV contactless specification. It uses cryptography to safeguard the token between the card (in this case, the phone emulating the card) and the card issuer. It is similar to how credit card with a chip works. There's quite a bit of complexity. The general idea is roughly the same as what you suggested.
For one, I suspect the DAN in apple is linked to the device, thus only allowing payment requests to be made through that specific device where it is stored whereas in GPay, it's not and stored on the cloud and allows payment from a web based google account as mentioned in comment above ?
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
Год назад
For clarity, the token is just a normal card number, 16 digits, specific bins, just not the real card.
Note 4.21 : From POS Terminal it will go to Visa / MasterCard ( It is a Network of Network) The POS terminal is not ment to keep all the merchant bank details it just forward the Auth request to respective Card Network provider. Visa/Master card then takes the PAN / DAN and do the lookup to identify the BIN and forward it to the respective Issuing bank (cardholder bank) to do the Auth. Now the Issuing bank gives either Approve/Decline response.
Google implementation make sense considering not all android manufacturers willing to add additional chip due to cost.. this way they can provide the service to any customer with a phone that have NFC chip without compromise the security due to lack of dedicated chip..
@@TheMrMerudin Let me guess, in the sterile isolated bubble of Apple, they probably marketed the about to be implemented USB Type-C as some sort of revolutionary technology invented by Apple.
@@MetoF50Narliev Let me guess, you never had more than an Apple device at home. Everything connects instantly and easly, if you want to pass a file from your phone to your computer you can just use AirDrop and that's it, or iCloud. On android you need to instal something like whatsapp or telegram or discord, login, and then you can pass something (with limits) on your PC. AirPods work with EVERYTHING: iPhone, iMac, MacBooks and iPads. Calls and messages are synced in every devices, so you always have your stuff with you. Even HomePod is perfectly connected with Apple music and your other devices. AppleWatch transfers fitness information in everything you have so you won't miss anything, even calls or messages. Even the fucking magic mouse is beautifully connected across nearby devices so you don't have to plug and unplug (or buy more) your SAME MOUSE everytime you have to work on stuff. Sterile? Isolated? Try to do this stuff on Android.
@@TheMrMerudin So if I use PC under Windows/Linux than buying IPhone is a mistake 'couse many cool features (that were paid for) will work only with others Apple devices? Sheesh
Do you still need that answered? If so, I might be able to give some insight. From what I've read (doing a lot of that lately), Samsung Pay is kind of a hybrid approach. It still uses Samsung servers, can sync with them (to backup that financial data), but the token is saved on the device (like Apple) by default. It uses the Knox secure enviroment, to keep your details safe. It's why only Samsung devices, have Samsung Pay.
That a was a neat explanation. I didn’t know there was a chip in iPhones dedicated for payment. Considering how Android must run on several devices, it makes sense that google pay uses other methods 🧐🤔
Apple develops their own hardware such as SoC chips and iOS so it is easier for them to make it even secure than Android as there's too many different phone manufacturers using the different type of hardware chips and most of them might not want to spend more times in these for development as the chips are not self-made by the phone manufacturers, rather than made by Qualcomm, MediaTek except Huawei, Google and Samsung phones using their own SoC.
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
Very interesting. Can you make another video about the registering process of both as well since they are quite different (afaik Apple uses in-app provisioning).
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
Thank you for a brilliant video. If a user is using a merchant web interface to purchase on line using Apple Pay / Google Pay would the same tokenization process and DPAN / DAN creation apply?
Plz also make a video on the following topics: 1). How does Cloud Computing work? 2). How does AI work? 3). Fundamentals of ML 4). How do Siri/ Alexa work? 5). How does Whatsapp, Messenger work?
Ever heard of reading? You are asking for information which is for people who need to know and you don't need to know, otherwise, you would know it by now.
GPay is available for all Android phones, not just Pixel.. and at the moment there isn't a large enough userbase of Pixel phones for Google to consider device specific changes in GPay functioning.
I've commented on it under the video already, but in short - yes, it's used to store GPay tokens. "stored in GPay itself" is a very misleading claim. Phones that have secure enclave use that to store payment tokens.
POS terminals are designed to accept credit cards, which I believe use a different tech to encrypt the credit card number and cvv. So how does these terminals directly accept the token from Apple or Google pay? Unless Apple pay converts that in the format acceptable to POS terminal.
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
Thanks for informative video. One quesion as follows. 1. this payment scheme is same/almost same as e-commerce payment and, in case, Does Google pay use HCE as well? Instead of NFC Controller what would be the couterpart?
We cut out an entire section on how the Apple Pay and Google Pay buttons work that would have answered your question. In short, with the Google Pay button, the Google web server sends the payment token to the web browser, and from the web browser, the token is forwarded to the Payment Service Provider (PSP) for processing. The Apple Pay button only works in Safari on the Mac. As mentioned in the video, the payment token is only stored in the Secure Element on the phone. Once the phone authorizes the web payment, the payment token is sent from the phone to the apple server securely, the apple server re-encrypts the token with the developer's encryption key before sending it from the apple server to the developer (or their payment processor).
@@ByteByteGo Thats correct. Also just to bring in the ApplePay on the web flavor where you can pay using your MACBOOK(as long as you have the biometric sensor on your MAC) With Earlier version of ApplePay only your Phone would act as payment source and Apple would create DAN only for your iPhone(6 and Above), with the release of MAC with biometric you can use your MACBOOK as a payment source and now your MACBOOK will have its own DAN. One thing to notice is ApplePay is only available if you are using SAFARI and not other browser.
Does this system work for blocking a sum of money on the card (for instance a hotel/car rental pre-authorization)? Or does it support getting money back, in case of a product return or due to some error during the payment? These work with the card.
A pre-authorization is only valid for 3 weeks (Visa/Master Card) or 7 days (American Express/Discover) if an authorization number obtained by the bank isn't "captured"/offlined/forced by the POS/Terminal the funds are automatically refunded to the card holder after the set time limit has expired. If a payment has been captured and needs to be refunded, generally the sponsor bank will allow for a refund to be preformed as most refunds are made blindly and can be interpreted by the bank's servers. Interestingly enough, while you can close out a pre-authorization amount for a higher amount, you generally cannot recharge a contactless card number. Since a new transaction needs to obtain an authorization number generally the bank will produce a host code 05 decline response if recharged.
@@ContraVsGigi It's not actually a problem, no. What's stated above just about applies to ALL credit/debit card transactions, not just contactless transactions. About the only difference is that with a regular credit card the business can call the card processor and get the full credit card number and expiration date to rerun it (for example, if one of the employees accidentally undercharges the transaction by X amount.) Otherwise it's pretty much the same process. Plastic card/Apple Pay/Google Pay/Samsung pay, it doesn't matter. About the only card type that doesn't follow these rules are cards numbers that are generated to be ran for a very specific amount. (There's a few exceptions of course, but for 98% of all card transactions this is the case.)
@@Coonotafoo Thank you for the answers. I am curious as I think these phone&online systems use also some virtual cards, so the bank/visa&co. would not know how to pair the virtual card and the actual one. I have no idea how they work.
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
@@TheCommunicationCoach Create your own video, make a posts around the social media like Reddit exposing your findings. Hijacking comments won't get you far, I tell you I don't care about your particular problem.
Does it work differently in European countries with IBAN? For example when Apple Pay was released in The Netherlands, terminals didn’t need to be replaced or software update, as long as it had NFC. It just worked. I was on vacation in USA, at Walmart I used Apple Pay and the employee looked surprised at me because apparently they don’t support it. But somehow it worked.
No it doesn't work differently. I'm no expert but I believe IBANs are used specifically for routing funds tranfers to the correct bank and account number, whereas with the concepts in this video the routing is done through the Visa/Mastercard/Amex networks to connect financial institutions at POS - then those respective banks handle account routing internally.
nah it s only walmart and ig a few other stores that don't accept apple pay and that's because they have walmart pay or some shit to collect data from their customers
Your iPhone literally just mimics your card. So as long as a place accepts NFC *card* payments, you can pay with your iPhone. I’m not sure if Walmart accepts those though as I’m not from the US. What I get from this video is that maybe European cards get handled different by the banks themselves (Walmart might be able to block Apple Pay if a card from an American bank is linked to it). Groetjes uit Luxemburg btw ;^)
I think one part that was not clarified / explained was how cryptogram comes into play during payment to ensure that the card and the transaction is genuine.
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
- Do Apple Pay and GPay work for all POS terminals that already accepted contactless card? - How can Apple Pay and GPay communicate with EMV reader? as I see from the video, they only stored the DAN (Device Account Number)?
4:00 this is actually not right. The token never leaves your phone. It works kinda like TOTP so like your authenticator app. The six digits are NOT the private key.
Not sure about Apple, but Google Pay has horrible customer service. Added an address, the payment profile was suspended and I got an email asking for addition information. Provided information, immediately received and email citing COVID as reason for delayed responses which is just ridiculous at this point. That was two weeks ago and still haven't received any update. I sure wouldn't want to rely on them.
I think thats a big difference between apple and google. Apple will NEVER email you asking for information, in this case if it were to happen, you would be prompted with an error forcing you to call them or schedule an appointment to be called back. No information is ever transferred between customer and apple through email. Also, almost everything you do in regards to Apple go through 2FA to ensure its really you using it, so changing addresses and information that be authenticated
They lie and deny all day!! GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
@@electricz3045 That was only one example. I have couple more, but what's the point. And, by the way, for that example I managed, they only answered 3(!) months later.
does this mean that at any point of time, Google or Apple could use our token to authorize transactions on our behalf, even ones not directly authorized by us?
yes, of course. And a bank could do that too. It's all relying on your trust in these entities to not screw you. One redeeming point is that if Apple or Google faked transactions, they would still appear in your bank statement so you could refute them (which would end up looking really bad for Apple / Google over time and the bank would drop them, crippling their business, so it's really not in their best interest to screw you over.
YES, and here's proof!! GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
google pay now goes by google wallet except in the us and Singapore, where they have GPay AND Google Wallet, which work together. there is then India, which only has GPay
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
How is it possible then to pay via Apple Pay when your device has no connection to the Internet? Maybe I didnt understand everything, but it would be nice to know :)
Does this mean you cannot use Google Pay without an internet connection as it will have to retrieve the token from the cloud? Apple Pay is usable even without an internet connection I believe, correct me if I’m wrong.
Google Pay stores the payment token in the wallet app on the device and communicates over NFC with the POS terminal using Host Card Emulation. It does not require an internet connection.
Wouldn’t it be more secure if a new token was generated and sent to the phone each time a transaction is made ? This way, a malicious pos terminal won’t be able to record the info for reuse. Please correct me if I am missing something
Would it be more secure? Sure, but there’s not a lot of point. Firstly, the process is plenty encrypted and you’ll rarely see an attack of that type because of it. Second, issuing a new token every time would take a lot more time at the time of purchase. They use temporary authorizing codes that change between purchases so that covers that potential for intercepting the info for unauthorized additional purchases, like a new cvc code per purchase. That’s the equivalent to why change the entire safe when you could just change the lock. Third and probably most important, these services need to be able to work offline. If you’re deep in rural country and you need to pay at the corner store which somehow has tap to pay, you can’t be SOL because you don’t have the phone signal to receive a new token. Also if you have a limited data plan, you want to be able to make purchases even if you have your data turned off. All these companies want to get to the point where your digital wallet replaces your physical one, and that can’t happen if you have to rely on having signal to use it. It would be overkill and really inconvenient!
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
2:24 - Secure Element? I was under the impression it was called the Secure Enclave. Please clarify. In either case, great video. I always enjoy your work.
Ithink the secure enclave is a part of the M-series chips found in Mac and some iPad models. They may not be related necessarily, but probably some of the secure element development techniques can be found in the M-series
@@Kamroks455 No no. The Secure Enclave Processor (SEP) predates the M-series chips by at least 6 years. The SEP has been the cornerstone of the Apple Pay system architecture since day one.
@@Kamroks455 By the way, not only is the SEP its own distinct chip that long predates the M-series chips but it runs its own proprietary OS literally called sepOS. And I’ve since independently confirmed that it is definitely Secure Enclave and NOT Secure Element. Apple Patent US8832465B2.
@@robertholtz I think you have a slight misunderstanding throwing you off. Most Apple mobile device has a secure element. Apple has called it the Secure Enclave. Pixel 6 devices have a secure element. Google calls it the Tensor Security Core. It’s the vague terminology. A secure element is a chip that is by design protected against unauthorized access and is limited to storing and utilizing sensitive data, like biometrics. He’s talking about the Secure Enclave but it’s a secure element, so he’s not wrong. You’re right too though, it is the Secure Enclave.
It's my understanding that Google keeps the payment I for because you can use Google pay without your phone to checkout from participating vendors. How does Apple participate in website checkout as an option if they don't store the token as Google does?
They don’t, not in the same way. If you aren’t accessing the site on an apple device using safari, then that button won’t appear for Apple Pay at all. From there, you can only use Apple Pay on devices that have a Secure Enclave with iPhone, iPad, and Apple Watch which it’s been a while so most in the wild apple devices have one. For Macs that have Secure Enclave, it works the same way. With Macs before 2012 that don’t, it will send the payment request to your iPhone or Apple Watch which will process the transaction for the Mac once you authenticate with FaceID or whatever. If you add a card to your apple wallet, it doesn’t automatically sync to your other devices. When setting up, it’ll ask if you want to add to your Apple Watch too and if you say yes, it will run the process to add it to your Apple Watch separate from the iPhone’s wallet add. If you want to add the card to your Mac, you do that locally on the Mac. The purpose is that none of this information is stored in the cloud or communicated without your permission, it’s all local on the respective Secure Enclave.
I prefer Apple's method. I detest Google's method. The fact that google sits b/w point of sale and phone means that they can track transactions for ads
Are you sure phone hands off “The Token” ? That would make it vulnerable to pretend POS units that harvest tokens. It probably generates a time bound token and signs it with a private key that it stores.
Yes, the phone hands the token off to the POS terminal over NFC. There are two contactless standards currently used. EMV contactless is newer and more advanced. It uses something called "cryptogram" to safeguard the information. MSD contactless mimics a magnetic card. It is slightly better than straight magnetic card because the CVV is dynamically generated. Look up EMV and MSD contactless if you would like to learn more.
@@ByteByteGo thanks , the question is here is not safety of transmission of token, but trust to vendor that they would not store the token, any reasonable security system would not transmit it such security element to a third party, the general practice is generate something temporary and add a trust mechanism in this case would be by signing it with the private key provided by payment provider. Basically oauth 2 or Jsonweb token concept.
As we mentioned in the previous reply, we encouraged you to look up EMV contactless specification if you want to learn more about how it secures the payment token and its associated information. The idea is very similar to what you are talking about.
@@ByteByteGo The detail about EMV cryptograms is totally glossed over in the video but I feel it's important to why EMV is more secure than legacy magstripe payments. During device provisioning, the device receives in addition to the DAN some cryptographic keys that are used to encrypt the data sent over NFC to the terminal. During a transaction, the cryptogram sent from the device to the terminal includes the DAN and a unique transaction identifier provided by the terminal. In addition to protecting the confidentiality of the DAN, this prevents replay attacks if a malicious actor intercepted the NFC transmission, since the cryptogram will not be able to be used for a different transaction in the future. This is a key benefit of EMV over legacy magnetic stripe card payments which were highly susceptible to "skimmers": since the data on the magstripe was static, a copy of it could be used for future fraudulent transactions without the original card being present. The video implies that only the DAN is sent from the device to the POS terminal. If this were the case, the same sort of replay attack that's possible with magstripe cards would also be possible with EMV chip cards and digital wallets.
One advantage about Apple Pay (besides security and privacy) is that you don't have to be connected to the internet once the card is connected to your phone. While Google Pay you have to have internet
I believe Apple and Google monetize the transaction differently. (i.e. how they are paid for each transaction). Please speak to this as data security is clearly most people's principal concern.
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
GPay token is definitely stored on Google servers as it allows you to pay online with a Google account, e.g. on a PC.
Doesn’t Apple also have Wallet on Mac though?
@@aame6643 I think so, yes. So they must transmit the token to the Mac, too.
@@aame6643 They may store the encrypted tokens on iCloud to transfer between devices.
Never mind, to use it on Mac you need to verify using the PIN number, which btw is also the case when using Apple Pay on the watch.
So the token definitely isn’t stored on their servers.
Cards that you add directly on device is not added to your Google account. Just recently I've encountered this after wanting to pay online with a card added on my phone and it wasn't in the list.
I was informed by a GPay representative in Malaysia that GPay and Google Wallet is 2 separate things. Both might be offered in your country or just one of it or none at all. Google Wallet is where you store your credit card info, passes, tickets, or anything that could be sync with it. GPay is where the payment take place.
Okay several followup questions:
1. What's the difference between the token used by iOS vs Android? You mentioned Apple Pay uses a DAN while Google Pay uses a DPAN, but never really clarified how they differ.
2. If this token is a secret, then why does the device provide the payment token to the PoS during checkout? Wouldn't that be vulnable to a compromised PoS or MitM attack?
3. This feels like an ideal use case for public key cryptography. Why not have the bank issue a private key to each device for payment authorization, and then the payment authorization flow would just involve signing the transaction with the private key?
That is how I would imagine it would work. Private key would be stored in the device, tokens are generated and signed with that key with addition to expiration date and perhaps vendor id so if it stolen it is useless.
Thank you for the questions.
For 1, we don't think the exact token specification is that interesting. The payment token is a proxy for the actual card number, and it is tied to the device. The sensitive part is the mapping from the token to the card number, and it is stored in the token service provider.
For 2 and 3, if you are interested, look up the EMV contactless specification. It uses cryptography to safeguard the token between the card (in this case, the phone emulating the card) and the card issuer. It is similar to how credit card with a chip works. There's quite a bit of complexity. The general idea is roughly the same as what you suggested.
For one, I suspect the DAN in apple is linked to the device, thus only allowing payment requests to be made through that specific device where it is stored whereas in GPay, it's not and stored on the cloud and allows payment from a web based google account as mentioned in comment above ?
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
For clarity, the token is just a normal card number, 16 digits, specific bins, just not the real card.
clear and concise. the video seemed like it contained more content than just 6 min. Very well recorded. Thanks a ton
Note 4.21 : From POS Terminal it will go to Visa / MasterCard ( It is a Network of Network) The POS terminal is not ment to keep all the merchant bank details it just forward the Auth request to respective Card Network provider. Visa/Master card then takes the PAN / DAN and do the lookup to identify the BIN and forward it to the respective Issuing bank (cardholder bank) to do the Auth. Now the Issuing bank gives either Approve/Decline response.
Google implementation make sense considering not all android manufacturers willing to add additional chip due to cost.. this way they can provide the service to any customer with a phone that have NFC chip without compromise the security due to lack of dedicated chip..
Apple haters always find a way to desribe shit as a better alternative.
@@TheMrMerudin Let me guess, in the sterile isolated bubble of Apple, they probably marketed the about to be implemented USB Type-C as some sort of revolutionary technology invented by Apple.
@@MetoF50Narliev Let me guess, you never had more than an Apple device at home. Everything connects instantly and easly, if you want to pass a file from your phone to your computer you can just use AirDrop and that's it, or iCloud. On android you need to instal something like whatsapp or telegram or discord, login, and then you can pass something (with limits) on your PC. AirPods work with EVERYTHING: iPhone, iMac, MacBooks and iPads. Calls and messages are synced in every devices, so you always have your stuff with you. Even HomePod is perfectly connected with Apple music and your other devices. AppleWatch transfers fitness information in everything you have so you won't miss anything, even calls or messages. Even the fucking magic mouse is beautifully connected across nearby devices so you don't have to plug and unplug (or buy more) your SAME MOUSE everytime you have to work on stuff.
Sterile? Isolated? Try to do this stuff on Android.
@@TheMrMerudin at what point does one use their brain to get something done then?
@@TheMrMerudin So if I use PC under Windows/Linux than buying IPhone is a mistake 'couse many cool features (that were paid for) will work only with others Apple devices? Sheesh
Tokens:
PAN = Primary Account Number
DAN = Device Account Number
PAN (from device) => BANK => DAN (to device)
can you also compare samsung pay? i know its a little different than google pay but i want to know what exactly
Do you still need that answered? If so, I might be able to give some insight. From what I've read (doing a lot of that lately), Samsung Pay is kind of a hybrid approach. It still uses Samsung servers, can sync with them (to backup that financial data), but the token is saved on the device (like Apple) by default. It uses the Knox secure enviroment, to keep your details safe. It's why only Samsung devices, have Samsung Pay.
Can please make a video about how India's UPI works?
How it is different from tokenization as there are no credit or debit card needed
That a was a neat explanation. I didn’t know there was a chip in iPhones dedicated for payment. Considering how Android must run on several devices, it makes sense that google pay uses other methods 🧐🤔
Apple develops their own hardware such as SoC chips and iOS so it is easier for them to make it even secure than Android as there's too many different phone manufacturers using the different type of hardware chips and most of them might not want to spend more times in these for development as the chips are not self-made by the phone manufacturers, rather than made by Qualcomm, MediaTek except Huawei, Google and Samsung phones using their own SoC.
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
Very interesting. Can you make another video about the registering process of both as well since they are quite different (afaik Apple uses in-app provisioning).
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
Thank you for a brilliant video.
If a user is using a merchant web interface to purchase on line using Apple Pay / Google Pay would the same tokenization process and DPAN / DAN creation apply?
Gpay works with UPI in India, should have mentioned it.
In INDIA Gpay is used for UPI mostly.not for card payment.
That's due to a limitation imposed by RBI regarding storing debit card information
Gpay is different in India.
If Apple stores tokens in the device's secure element and does not store them in the cloud, how are my cards added on iPhone available on Mac?
Plz also make a video on the following topics:
1). How does Cloud Computing work?
2). How does AI work?
3). Fundamentals of ML
4). How do Siri/ Alexa work?
5). How does Whatsapp, Messenger work?
Ever heard of reading? You are asking for information which is for people who need to know and you don't need to know, otherwise, you would know it by now.
@@eglintonflats lol okay, who hurt you!
I wonder what the Titan M2 Security Chip (built-in Pixel 6 and 7 Series) is doing then, when the payment token is stored in GPay itself.
Stores biometrics and other personal AI features. I wanna beleive it also involves in the Google Wallet App
GPay is available for all Android phones, not just Pixel.. and at the moment there isn't a large enough userbase of Pixel phones for Google to consider device specific changes in GPay functioning.
I've commented on it under the video already, but in short - yes, it's used to store GPay tokens. "stored in GPay itself" is a very misleading claim. Phones that have secure enclave use that to store payment tokens.
Google wallet was initially released in May 2011.
Apple pay was initially released in October 2014
POS terminals are designed to accept credit cards, which I believe use a different tech to encrypt the credit card number and cvv. So how does these terminals directly accept the token from Apple or Google pay? Unless Apple pay converts that in the format acceptable to POS terminal.
The phone talks to the POS terminal over NFC. Look up EMV contactless if you would like to learn more.
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
It was interesting to learn about it.
Thanks!
Wonder if you could do a piece on how hardware attestation works.
Thanks for informative video. One quesion as follows.
1. this payment scheme is same/almost same as e-commerce payment and, in case, Does Google pay use HCE as well? Instead of NFC Controller what would be the couterpart?
We cut out an entire section on how the Apple Pay and Google Pay buttons work that would have answered your question.
In short, with the Google Pay button, the Google web server sends the payment token to the web browser, and from the web browser, the token is forwarded to the Payment Service Provider (PSP) for processing.
The Apple Pay button only works in Safari on the Mac. As mentioned in the video, the payment token is only stored in the Secure Element on the phone. Once the phone authorizes the web payment, the payment token is sent from the phone to the apple server securely, the apple server re-encrypts the token with the developer's encryption key before sending it from the apple server to the developer (or their payment processor).
@@ByteByteGo Thats correct. Also just to bring in the ApplePay on the web flavor where you can pay using your MACBOOK(as long as you have the biometric sensor on your MAC)
With Earlier version of ApplePay only your Phone would act as payment source and Apple would create DAN only for your iPhone(6 and Above), with the release of MAC with biometric you can use your MACBOOK as a payment source and now your MACBOOK will have its own DAN.
One thing to notice is ApplePay is only available if you are using SAFARI and not other browser.
Does this system work for blocking a sum of money on the card (for instance a hotel/car rental pre-authorization)? Or does it support getting money back, in case of a product return or due to some error during the payment? These work with the card.
A pre-authorization is only valid for 3 weeks (Visa/Master Card) or 7 days (American Express/Discover) if an authorization number obtained by the bank isn't "captured"/offlined/forced by the POS/Terminal the funds are automatically refunded to the card holder after the set time limit has expired. If a payment has been captured and needs to be refunded, generally the sponsor bank will allow for a refund to be preformed as most refunds are made blindly and can be interpreted by the bank's servers. Interestingly enough, while you can close out a pre-authorization amount for a higher amount, you generally cannot recharge a contactless card number. Since a new transaction needs to obtain an authorization number generally the bank will produce a host code 05 decline response if recharged.
@@Coonotafoo So there are problems also with usong the card, wirelessly. Do all these work when you use Google Pay / Samsung Pay / Apple Pay?
@@ContraVsGigi It's not actually a problem, no. What's stated above just about applies to ALL credit/debit card transactions, not just contactless transactions. About the only difference is that with a regular credit card the business can call the card processor and get the full credit card number and expiration date to rerun it (for example, if one of the employees accidentally undercharges the transaction by X amount.) Otherwise it's pretty much the same process. Plastic card/Apple Pay/Google Pay/Samsung pay, it doesn't matter. About the only card type that doesn't follow these rules are cards numbers that are generated to be ran for a very specific amount. (There's a few exceptions of course, but for 98% of all card transactions this is the case.)
@@Coonotafoo Thank you for the answers. I am curious as I think these phone&online systems use also some virtual cards, so the bank/visa&co. would not know how to pair the virtual card and the actual one. I have no idea how they work.
Great video. What software do you use for animation?
Adobe After Effects and Adobe Illustrator.
Does the Google Pay system function the same way on Pixel devices as it does other Android devices? Doesn’t the Titan M handle tokens like this?
This channel is golden! Please keep making those videos.
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
@@TheCommunicationCoach File a complaint to the federal trade commission. What do you expect from me dude.
@@DarkGT From you? Nothing. My only goal was to pass on information, and that's done.
@@TheCommunicationCoach Create your own video, make a posts around the social media like Reddit exposing your findings. Hijacking comments won't get you far, I tell you I don't care about your particular problem.
@@DarkGT Like I care any less about you or yours. You want to be spied on and info stolen? GL with that, so stop bothering me.
Does it work differently in European countries with IBAN? For example when Apple Pay was released in The Netherlands, terminals didn’t need to be replaced or software update, as long as it had NFC. It just worked. I was on vacation in USA, at Walmart I used Apple Pay and the employee looked surprised at me because apparently they don’t support it. But somehow it worked.
No it doesn't work differently. I'm no expert but I believe IBANs are used specifically for routing funds tranfers to the correct bank and account number, whereas with the concepts in this video the routing is done through the Visa/Mastercard/Amex networks to connect financial institutions at POS - then those respective banks handle account routing internally.
nah it s only walmart and ig a few other stores that don't accept apple pay and that's because they have walmart pay or some shit to collect data from their customers
I think Walmart is an exception. It’s the only store I ever went to which Apple Pay didn’t work with the card terminal
@@SupernovaDragon77 he clearly said it worked for him, even at walmart
Your iPhone literally just mimics your card. So as long as a place accepts NFC *card* payments, you can pay with your iPhone. I’m not sure if Walmart accepts those though as I’m not from the US. What I get from this video is that maybe European cards get handled different by the banks themselves (Walmart might be able to block Apple Pay if a card from an American bank is linked to it). Groetjes uit Luxemburg btw ;^)
I think one part that was not clarified / explained was how cryptogram comes into play during payment to ensure that the card and the transaction is genuine.
Yes I also was left in wish of this information
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
- Do Apple Pay and GPay work for all POS terminals that already accepted contactless card?
- How can Apple Pay and GPay communicate with EMV reader? as I see from the video, they only stored the DAN (Device Account Number)?
4:00 this is actually not right. The token never leaves your phone. It works kinda like TOTP so like your authenticator app.
The six digits are NOT the private key.
Awesome....something learned today :)
Interesting. How do you know this stuff?
Not sure about Apple, but Google Pay has horrible customer service. Added an address, the payment profile was suspended and I got an email asking for addition information. Provided information, immediately received and email citing COVID as reason for delayed responses which is just ridiculous at this point. That was two weeks ago and still haven't received any update.
I sure wouldn't want to rely on them.
I think thats a big difference between apple and google. Apple will NEVER email you asking for information, in this case if it were to happen, you would be prompted with an error forcing you to call them or schedule an appointment to be called back. No information is ever transferred between customer and apple through email. Also, almost everything you do in regards to Apple go through 2FA to ensure its really you using it, so changing addresses and information that be authenticated
Hmm so because you had a issue with Google, it makes their whole customer support bad? Never had issues with the Google support.
They lie and deny all day!! GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
@@electricz3045 That was only one example. I have couple more, but what's the point. And, by the way, for that example I managed, they only answered 3(!) months later.
@@markus.schiefer Google is a big company with a lot of users who want support so it's obvious that it takes time to answer questions.
Is Samsung Pay more similar to Google's or Apple's implementation?
Great follow up to a Reddit post I saw recently!
It really worked for me after I look and try some tutorials, yours is the one that worked. Owe you a lot.
does this mean that at any point of time, Google or Apple could use our token to authorize transactions on our behalf, even ones not directly authorized by us?
yes, of course. And a bank could do that too. It's all relying on your trust in these entities to not screw you. One redeeming point is that if Apple or Google faked transactions, they would still appear in your bank statement so you could refute them (which would end up looking really bad for Apple / Google over time and the bank would drop them, crippling their business, so it's really not in their best interest to screw you over.
YES, and here's proof!! GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
Thank you
What about Samsung Pay? What is the different between them?
wow thankyou for such a detailed and good information
Pushing the algorithm ❤️❤️
What happens if someone steals the token? Can they use it to make a purchase?
google pay now goes by google wallet except in the us and Singapore, where they have GPay AND Google Wallet, which work together. there is then India, which only has GPay
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
very interesting. Now I understand
I love your videos. What program are you using to create animations?
Adobe After Effects and Adobe Illustrator. Our editors get all the credit, though. :)
Samsung Pay? How is their implementation in comparison to Apple’s and Google’s??
How is it possible then to pay via Apple Pay when your device has no connection to the Internet?
Maybe I didnt understand everything, but it would be nice to know :)
Can you volume up a bit please? It's quite lower than other youtube vids
I don’t know how it looks now but several years ago 6? Google walet required enterin pin in POS terminal. Apple Pay didnt required
can you please make a video on Samsung Pay..... i wanna know how its works
Very good Video, thank you. How do you make your Animations?
It seems like you can pay with ApplePay without internet? and not with Google since its dealing with cloud. Can you confirm?
What tool was used to create the animation on this video?
Does this mean you cannot use Google Pay without an internet connection as it will have to retrieve the token from the cloud?
Apple Pay is usable even without an internet connection I believe, correct me if I’m wrong.
Google Pay stores the payment token in the wallet app on the device and communicates over NFC with the POS terminal using Host Card Emulation. It does not require an internet connection.
@@ByteByteGo thank you very much for the enlightenment!
Wouldn’t it be more secure if a new token was generated and sent to the phone each time a transaction is made ? This way, a malicious pos terminal won’t be able to record the info for reuse.
Please correct me if I am missing something
Would it be more secure? Sure, but there’s not a lot of point.
Firstly, the process is plenty encrypted and you’ll rarely see an attack of that type because of it.
Second, issuing a new token every time would take a lot more time at the time of purchase. They use temporary authorizing codes that change between purchases so that covers that potential for intercepting the info for unauthorized additional purchases, like a new cvc code per purchase. That’s the equivalent to why change the entire safe when you could just change the lock.
Third and probably most important, these services need to be able to work offline. If you’re deep in rural country and you need to pay at the corner store which somehow has tap to pay, you can’t be SOL because you don’t have the phone signal to receive a new token. Also if you have a limited data plan, you want to be able to make purchases even if you have your data turned off. All these companies want to get to the point where your digital wallet replaces your physical one, and that can’t happen if you have to rely on having signal to use it. It would be overkill and really inconvenient!
Good info.. thanks
what tool you use for Architecture Diagram design?
What is the flow for Google and apple pay over web browser?
You mean a web payment?
@@Hi-db5cd yep, my understanding is that a 3rd party payment gateway needs to be involved
Either its me or not but I sometimes have no internet and can pay with google wallet in flight mode? Theres no communication then with the servers?
THANKS FOR THIS INFORMATIVE VIDEO
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
Very good quality explanation
how about paying offline?
I was once in an underground store with no reception, and Google pay worked fine.
will Apple pay work the same?
Just googled and found that G Pay came first, on May 2011, whilst Apple Pay was released on Oct 2014.
That was called Google Wallet back then.
I love your content you should get millions.
Does not works on sites there use 3D Security by visa etc.
Does this in any way obsolete Visa or Mastercard payments networks, or are they simply using Visa and Mastercard?
Also, could they bypass Visa/Mastercard in the future and if so, how?
2:24 - Secure Element? I was under the impression it was called the Secure Enclave. Please clarify. In either case, great video. I always enjoy your work.
Ithink the secure enclave is a part of the M-series chips found in Mac and some iPad models. They may not be related necessarily, but probably some of the secure element development techniques can be found in the M-series
@@Kamroks455 No no. The Secure Enclave Processor (SEP) predates the M-series chips by at least 6 years. The SEP has been the cornerstone of the Apple Pay system architecture since day one.
@@Kamroks455 By the way, not only is the SEP its own distinct chip that long predates the M-series chips but it runs its own proprietary OS literally called sepOS. And I’ve since independently confirmed that it is definitely Secure Enclave and NOT Secure Element. Apple Patent US8832465B2.
@@robertholtz I think you have a slight misunderstanding throwing you off. Most Apple mobile device has a secure element. Apple has called it the Secure Enclave. Pixel 6 devices have a secure element. Google calls it the Tensor Security Core. It’s the vague terminology. A secure element is a chip that is by design protected against unauthorized access and is limited to storing and utilizing sensitive data, like biometrics. He’s talking about the Secure Enclave but it’s a secure element, so he’s not wrong. You’re right too though, it is the Secure Enclave.
Nice video. Please make a similar one on Samsung Pay.
It means Google Pay can't support offline transactions?
It's my understanding that Google keeps the payment I for because you can use Google pay without your phone to checkout from participating vendors.
How does Apple participate in website checkout as an option if they don't store the token as Google does?
They don’t, not in the same way. If you aren’t accessing the site on an apple device using safari, then that button won’t appear for Apple Pay at all. From there, you can only use Apple Pay on devices that have a Secure Enclave with iPhone, iPad, and Apple Watch which it’s been a while so most in the wild apple devices have one. For Macs that have Secure Enclave, it works the same way. With Macs before 2012 that don’t, it will send the payment request to your iPhone or Apple Watch which will process the transaction for the Mac once you authenticate with FaceID or whatever. If you add a card to your apple wallet, it doesn’t automatically sync to your other devices. When setting up, it’ll ask if you want to add to your Apple Watch too and if you say yes, it will run the process to add it to your Apple Watch separate from the iPhone’s wallet add. If you want to add the card to your Mac, you do that locally on the Mac. The purpose is that none of this information is stored in the cloud or communicated without your permission, it’s all local on the respective Secure Enclave.
Interesting! Thanks
ngl i much prefer apple pay cuz it requires the user to authorise it rather than just popping up whenever you tap it against a terminal
How about phonepe? Is it same as GPay?
Cant you pay contactless by bank app?
Great video! Thanks for sharing the light of knowledge.
0:57 Actually, Google Wallet started as far back as 2011.
I prefer Apple's method. I detest Google's method. The fact that google sits b/w point of sale and phone means that they can track transactions for ads
Google Wallet first appearance was in September 2011.
VISA token service started only 2014. So Wallet couldn't use it yet. 🤷♂
@@tamaskiss6379 yet, people still could use Google Wallet to pay via NFC 😉
The main thing here is : which is safer?
Can PoS steal the payment token?
Is blockchain technology used to get those tokens or is this a completely different method?
It has nothing to do with blockchain
Fantabulous , what software do you use for your animations ?
Adobe After Effects and Adobe Illustrator.
5:11 That will not happen at all times since Google Pay still works without an Internet connection by saving 10 or 20 tokens on device.
Google Wallet was released before 2014 they were doing mobile payments before Apple. Also Don't forget Samsung Pay.
How about samsung pay
I can't find you
Does Google get paid by the bank for each transaction?
Google wallet definitely started years before Apple pay. I believe in 2011
What about Samsung Pay?
Are you sure phone hands off “The Token” ? That would make it vulnerable to pretend POS units that harvest tokens. It probably generates a time bound token and signs it with a private key that it stores.
Yes, the phone hands the token off to the POS terminal over NFC.
There are two contactless standards currently used.
EMV contactless is newer and more advanced. It uses something called "cryptogram" to safeguard the information.
MSD contactless mimics a magnetic card. It is slightly better than straight magnetic card because the CVV is dynamically generated.
Look up EMV and MSD contactless if you would like to learn more.
@@ByteByteGo thanks , the question is here is not safety of transmission of token, but trust to vendor that they would not store the token, any reasonable security system would not transmit it such security element to a third party, the general practice is generate something temporary and add a trust mechanism in this case would be by signing it with the private key provided by payment provider. Basically oauth 2 or Jsonweb token concept.
As we mentioned in the previous reply, we encouraged you to look up EMV contactless specification if you want to learn more about how it secures the payment token and its associated information. The idea is very similar to what you are talking about.
@@ByteByteGo The detail about EMV cryptograms is totally glossed over in the video but I feel it's important to why EMV is more secure than legacy magstripe payments.
During device provisioning, the device receives in addition to the DAN some cryptographic keys that are used to encrypt the data sent over NFC to the terminal. During a transaction, the cryptogram sent from the device to the terminal includes the DAN and a unique transaction identifier provided by the terminal. In addition to protecting the confidentiality of the DAN, this prevents replay attacks if a malicious actor intercepted the NFC transmission, since the cryptogram will not be able to be used for a different transaction in the future. This is a key benefit of EMV over legacy magnetic stripe card payments which were highly susceptible to "skimmers": since the data on the magstripe was static, a copy of it could be used for future fraudulent transactions without the original card being present.
The video implies that only the DAN is sent from the device to the POS terminal. If this were the case, the same sort of replay attack that's possible with magstripe cards would also be possible with EMV chip cards and digital wallets.
Make a vid on how upi works
What happens if the DAN or Payment token is compromised and leaked? Is it subject to replay attacks?
I think that the token is single-use only, just like rolling codes are on garage doors.
Google pay was named TEZ before in India
Wow, all this about a thing that could be said even in one sentence.
If they are not storing then why do they need to their server in middle? Definitely storing and giving input to their ML. Big Tech is our God now.
Which one you are using, apple pay or gpay?
We deal in cold hard cash.
One advantage about Apple Pay (besides security and privacy) is that you don't have to be connected to the internet once the card is connected to your phone. While Google Pay you have to have internet
I've always used G Pay without internet connection.
No, you don't.
what was if bad guy steal token? he can do payment?
I believe Apple and Google monetize the transaction differently. (i.e. how they are paid for each transaction). Please speak to this as data security is clearly most people's principal concern.
GOOGLE does more than just "spy" on us. Every time I make a payment online, Google invades my privacy and steals the card information and sets it up on Google Pay when it has NOTHING TO DO with GOOGLE!! This has happened six times in the past month, and I've reported them!
So which one is safer in a practice? Can anybody smarter than me explain?
wow, interesting.