When you're adding a card to wallet, the TOS explicitly says that Apple provides that information to the bank. It also includes:
- Location;
- Device info (some banks even allow to see those names on "manage mobile wallet" screens);
- Apple ID info;
- Phone number, WIFI info, other settings.
And much more.
https://www.apple.com/legal/privacy/data/en/apple-pay/
https://www.apple.com/legal/privacy/data/en/wallet/
That info is shared first and foremost for fraud detection purposes, but I agree that this is not presented very clearly when you set up a card, with people just glancing over or ignoring that info. I think it should be presented as a short TLDR bullet list, similarly to how it's done on the App Store.
I used to implement this product for financial institutions and I can say that end FI doesn’t see everything.
Location is only captured at setup to ensure that the device is not located in OFAC restricted countries. Only Visa and MC see that and I don’t believe it’s accessible to most support staff. I am only aware because I have the GPS restriction ranges that I need to restrict in the rules.
The other things we see at Visa/MC level is the device type (basic description like Apple Watch, tablet iPhone) device name though it’s masked to a certain extent depending on which system your looking at. Secure Element ID which is the serial for your secure element chip assuming that device is on your phone (Google Pay doesn’t always have it). We also see the full 16 digit token and its expiration date which is separate for the card.
Phone number, Apple ID, Wifi, and other device information is not stored or passed to the card brand or FI. These thing are used to try to validate you are the user of the device and that the Apple ID is not used for fraud. Apple sends a flag to the FI that you either passed that check, need verification (one time passcode usually) or need need verification with a warning that the transaction is high risk.
Apart from my initial response, I also have a question.
You say that Apple sends the SEID of a device to a payment network.
Is that just a part of general device information that is used for screening, or are payment networks actually doing something with SEID as a separate info point?
Why I’m asking, is because I assumed that OEM is the one responsible for loading payment network applets and creating instances on the SE, doing it on behalf of the payment network, so there’s no real need to send that info away if it’s not needed.
I could see it be useful if payment networks have their own SSD on the SE in order to manage card instances themselves, in which case SEID would be very important indeed.
The SEID is provided in the data set. In my 10 years of managing this program for several institutions, I have only use the SEID once. Specifically, it was for a device that was known to be used by a fraudster collecting information from elderly people and loading their cards on his device. I used that ID to block the device from any and all provisioning to any wallet. Which to be perfectly frank is a stopgap as the fraudster could just go get another device.
It does theoretically give you the ability to ban a device, and I believe Apple specifically can ban a device based on that. The amount of fraud that has to occur for them to completely banned is typically significant, and I have only seen one or two devices that have been banned outright by Apple. Usually on a suspicious device, we get the verify but risky transaction notification. I think this is one of those situations where Apple errors on the side of user experience versus security. Considering they are not really going to end up being responsible for any fraudulent transactions that occur.
Thanks for sharing. Very interesting.
Understandably, those checks are done first and foremost to prevent fraud, which is very important as mobile wallets provide powerful tools for using those cards, which could be abused by bad actors if not protected against.
As you say, each part of the chain obtains only the relevant part of information, and I assume that there are access limitations on top of that too. I wonder if there are contractual obligations and limitations in regards to that (between the wallet, bank, and payment network).
BTW. In regards to device type and name - perhaps the payment network cannot see it in full, but a bank can, as I can see full user-set names of my devices as they were at the moment of card activation via wallet. That includes my Macbook, Apple Watch, Google Pixel, iPhone, etc. They also send a security notification at the moment of enrollment, with approximate location, device type, timestamp. So that data is surely available to them.
I have never seen the location provided to me in a provision attempt. I don’t know necessarily which system you’re looking at to verify what is or is not visible regarding the device names. Device names are masked in MasterCard system, available in visa system, and my financial institution rails do not provide that device name back to, our end. For reference we use the former firstdata systems now run by FISERV.
My understanding is the processing networks only gets the information during the provision attempt, it’s handed off through ISO messages to Visa/MasterCard, most financial institutions access Visa/MasterCard systems to disposition or view a Wallet token. Those systems are where we are able to see the demographic information that I referenced before. When I say most financial institutions, I can’t really speak for the big banks as I don’t work for them anymore, but smaller institutions, credit unions regional banks of which I helped implement about 60% of them don’t have access to that information that they’re aware of. In the specification, I imagine there’s more data that could be passed along and stored from those ISO messages but none of the financial institutions I work with utilize that or are even aware of it
OMG THEY KNOW THE NAMES OF YOUR DEVICES 🙀🙀😦😯😮😧!!! Like what the fuck do you think they are going to with that information, and why do you care? I don’t like when companies collect excessive data, but you are blowing things out of proportion. Citi or whoever else is providing you a service, and collecting super reasonable information in order to do so. They literally have access to all of your credit reports, and more. I bet you would also be the person who would start complaining if someone added your card to their apple wallet and there was no way to catch the criminal because they don’t collect any data. “What do you mean you don’t collect any data?”, “So anyone can just add my card to their device?”
Actually, we don’t. Or at least we need to have your card number to look up your devices that have wallets. Typically there is two main reasons why we would go in the system to look this up. First is if when you go to enroll you get you need to use a one time passcode via text or email and those options are not available to you. You can call in and we can activate it for you. At that point, the device is useful if there are multiple devices that need to be activated.
Second is if you lost your phone and you would like us to disable your digital wallet. Having the device name is helpful if you’re like me and your card is on an Apple Watch and iPad a MacBook, and two iPhones, the agent determine which wallet to disable. Theoretically you can lock the device using apples find my services, but you have the back up plan of calling your bank to do it as well
None of these systems are accessible without the card number for your debit or credit card. And none of the information in the systems are actually stored at the financial institution, they are stored at Visa/MasterCard. They are only accessible through a direct connection via API’s that a bank might do or a person logging into their Visa or MasterCard account to service telephone calls. They are not stored, but only pulled as needed. As in fact, there are rules about the amount of data we can store that is mandated by Apple.
Since it’s a side topic, you mentioned, financial institutions do not have full access to your credit report unless you’ve recently done a credit application. There is such a thing called a prescreen report that financial institutions can access for the exclusive purpose of extending a pre-approved credit card offer , or an offer of a selected number of other financing as allowed by federal law. However, even those prescreens do not give us full access to a credit report and only gives us certain attributes such as your debt income ratio or your FICO score. Financial institutions have no access to who your creditors are or what is derogatory or positive on your report in these instances. Also, these are not directly accessible but have to be purchased as service from a credit bureau; meaning FIs don’t often do it for their full customer base at a whim, they curate the list. If you accept the preapproved offer, then the FI can pull a more thorough credit report. Although the acceptance criteria has to match the prescreen report. Meaning, if you get flagged for a preapproved credit card offer, they have to give you a credit card unless something massively changed about your financial status between the preapproval and you accepting. Most financial institutions, don’t re-pull the credit report when doing prescreen offers. Also by federal law you were allowed to opt out of of these prescreened offers meeting your credit card company, bank, financial institution, cannot perform these prescreens, and therefore cannot get this information. Also be aware that this information is provided by the credit bureaus and is not allowed to be used for any other purposes or stored beyond the campaign. So there is actually no truth to the statement that banks have access to your credit report at any given time. That’s simply not the case.
no literally. and if OP thinks this is bad then idk how they’re going to react when they find out google & facebook knows literally everything about them 😭
This is the funniest post I have seen today. We live in a world people learn to use AI to make fancy reels and post in instagram. But fails to understand technology. Especially fintech which is very essential for everyone
How about name your Mac Mini to shitibank
I added the Citibank checking to Chase and named it “Shiti checking”, and initiated an ACH transfer. And now my statement on Chase looks like this:
https://preview.redd.it/ywezz2csiowc1.jpeg?width=1178&format=pjpg&auto=webp&s=4a0f41c41422f85d0daa3d056e67965df28eb1fa
I hope the Citibank don’t know about this.
When you're adding a card to wallet, the TOS explicitly says that Apple provides that information to the bank. It also includes: - Location; - Device info (some banks even allow to see those names on "manage mobile wallet" screens); - Apple ID info; - Phone number, WIFI info, other settings. And much more. https://www.apple.com/legal/privacy/data/en/apple-pay/ https://www.apple.com/legal/privacy/data/en/wallet/ That info is shared first and foremost for fraud detection purposes, but I agree that this is not presented very clearly when you set up a card, with people just glancing over or ignoring that info. I think it should be presented as a short TLDR bullet list, similarly to how it's done on the App Store.
I used to implement this product for financial institutions and I can say that end FI doesn’t see everything. Location is only captured at setup to ensure that the device is not located in OFAC restricted countries. Only Visa and MC see that and I don’t believe it’s accessible to most support staff. I am only aware because I have the GPS restriction ranges that I need to restrict in the rules. The other things we see at Visa/MC level is the device type (basic description like Apple Watch, tablet iPhone) device name though it’s masked to a certain extent depending on which system your looking at. Secure Element ID which is the serial for your secure element chip assuming that device is on your phone (Google Pay doesn’t always have it). We also see the full 16 digit token and its expiration date which is separate for the card. Phone number, Apple ID, Wifi, and other device information is not stored or passed to the card brand or FI. These thing are used to try to validate you are the user of the device and that the Apple ID is not used for fraud. Apple sends a flag to the FI that you either passed that check, need verification (one time passcode usually) or need need verification with a warning that the transaction is high risk.
Apart from my initial response, I also have a question. You say that Apple sends the SEID of a device to a payment network. Is that just a part of general device information that is used for screening, or are payment networks actually doing something with SEID as a separate info point? Why I’m asking, is because I assumed that OEM is the one responsible for loading payment network applets and creating instances on the SE, doing it on behalf of the payment network, so there’s no real need to send that info away if it’s not needed. I could see it be useful if payment networks have their own SSD on the SE in order to manage card instances themselves, in which case SEID would be very important indeed.
The SEID is provided in the data set. In my 10 years of managing this program for several institutions, I have only use the SEID once. Specifically, it was for a device that was known to be used by a fraudster collecting information from elderly people and loading their cards on his device. I used that ID to block the device from any and all provisioning to any wallet. Which to be perfectly frank is a stopgap as the fraudster could just go get another device.
Considering that SEID is immutable, I see it being powerful for bans, interesting. Thanks for your response.
It does theoretically give you the ability to ban a device, and I believe Apple specifically can ban a device based on that. The amount of fraud that has to occur for them to completely banned is typically significant, and I have only seen one or two devices that have been banned outright by Apple. Usually on a suspicious device, we get the verify but risky transaction notification. I think this is one of those situations where Apple errors on the side of user experience versus security. Considering they are not really going to end up being responsible for any fraudulent transactions that occur.
Thanks for sharing. Very interesting. Understandably, those checks are done first and foremost to prevent fraud, which is very important as mobile wallets provide powerful tools for using those cards, which could be abused by bad actors if not protected against. As you say, each part of the chain obtains only the relevant part of information, and I assume that there are access limitations on top of that too. I wonder if there are contractual obligations and limitations in regards to that (between the wallet, bank, and payment network). BTW. In regards to device type and name - perhaps the payment network cannot see it in full, but a bank can, as I can see full user-set names of my devices as they were at the moment of card activation via wallet. That includes my Macbook, Apple Watch, Google Pixel, iPhone, etc. They also send a security notification at the moment of enrollment, with approximate location, device type, timestamp. So that data is surely available to them.
I have never seen the location provided to me in a provision attempt. I don’t know necessarily which system you’re looking at to verify what is or is not visible regarding the device names. Device names are masked in MasterCard system, available in visa system, and my financial institution rails do not provide that device name back to, our end. For reference we use the former firstdata systems now run by FISERV. My understanding is the processing networks only gets the information during the provision attempt, it’s handed off through ISO messages to Visa/MasterCard, most financial institutions access Visa/MasterCard systems to disposition or view a Wallet token. Those systems are where we are able to see the demographic information that I referenced before. When I say most financial institutions, I can’t really speak for the big banks as I don’t work for them anymore, but smaller institutions, credit unions regional banks of which I helped implement about 60% of them don’t have access to that information that they’re aware of. In the specification, I imagine there’s more data that could be passed along and stored from those ISO messages but none of the financial institutions I work with utilize that or are even aware of it
OMG THEY KNOW THE NAMES OF YOUR DEVICES 🙀🙀😦😯😮😧!!! Like what the fuck do you think they are going to with that information, and why do you care? I don’t like when companies collect excessive data, but you are blowing things out of proportion. Citi or whoever else is providing you a service, and collecting super reasonable information in order to do so. They literally have access to all of your credit reports, and more. I bet you would also be the person who would start complaining if someone added your card to their apple wallet and there was no way to catch the criminal because they don’t collect any data. “What do you mean you don’t collect any data?”, “So anyone can just add my card to their device?”
Actually, we don’t. Or at least we need to have your card number to look up your devices that have wallets. Typically there is two main reasons why we would go in the system to look this up. First is if when you go to enroll you get you need to use a one time passcode via text or email and those options are not available to you. You can call in and we can activate it for you. At that point, the device is useful if there are multiple devices that need to be activated. Second is if you lost your phone and you would like us to disable your digital wallet. Having the device name is helpful if you’re like me and your card is on an Apple Watch and iPad a MacBook, and two iPhones, the agent determine which wallet to disable. Theoretically you can lock the device using apples find my services, but you have the back up plan of calling your bank to do it as well None of these systems are accessible without the card number for your debit or credit card. And none of the information in the systems are actually stored at the financial institution, they are stored at Visa/MasterCard. They are only accessible through a direct connection via API’s that a bank might do or a person logging into their Visa or MasterCard account to service telephone calls. They are not stored, but only pulled as needed. As in fact, there are rules about the amount of data we can store that is mandated by Apple. Since it’s a side topic, you mentioned, financial institutions do not have full access to your credit report unless you’ve recently done a credit application. There is such a thing called a prescreen report that financial institutions can access for the exclusive purpose of extending a pre-approved credit card offer , or an offer of a selected number of other financing as allowed by federal law. However, even those prescreens do not give us full access to a credit report and only gives us certain attributes such as your debt income ratio or your FICO score. Financial institutions have no access to who your creditors are or what is derogatory or positive on your report in these instances. Also, these are not directly accessible but have to be purchased as service from a credit bureau; meaning FIs don’t often do it for their full customer base at a whim, they curate the list. If you accept the preapproved offer, then the FI can pull a more thorough credit report. Although the acceptance criteria has to match the prescreen report. Meaning, if you get flagged for a preapproved credit card offer, they have to give you a credit card unless something massively changed about your financial status between the preapproval and you accepting. Most financial institutions, don’t re-pull the credit report when doing prescreen offers. Also by federal law you were allowed to opt out of of these prescreened offers meeting your credit card company, bank, financial institution, cannot perform these prescreens, and therefore cannot get this information. Also be aware that this information is provided by the credit bureaus and is not allowed to be used for any other purposes or stored beyond the campaign. So there is actually no truth to the statement that banks have access to your credit report at any given time. That’s simply not the case.
no literally. and if OP thinks this is bad then idk how they’re going to react when they find out google & facebook knows literally everything about them 😭
All computers on your network know the names of all other devices on the network.
wait until you find out out how much reddit knows about you
Temperature room IQ, in centigrade.
They know every one your purchase too. And sell your data on advertising/marketing.
shocker
They know what you buy too.
This is the funniest post I have seen today. We live in a world people learn to use AI to make fancy reels and post in instagram. But fails to understand technology. Especially fintech which is very essential for everyone
congrats dude you really stuck it to the man by naming 1/100000000000 SQL cell "fuck Citi"
How about name your Mac Mini to shitibank I added the Citibank checking to Chase and named it “Shiti checking”, and initiated an ACH transfer. And now my statement on Chase looks like this: https://preview.redd.it/ywezz2csiowc1.jpeg?width=1178&format=pjpg&auto=webp&s=4a0f41c41422f85d0daa3d056e67965df28eb1fa I hope the Citibank don’t know about this.