I Don’t Use Apple Pay Because It’s Less Secure ...: Perception of Security and Usability in Mobile Tap-and-Pay Jun Ho Huh, Saurabh Verma, Swathi Sri V Rayala, Rakesh B. Bobba, Konstantin Beznosov, and Hyoungshick Kim

JunHoHuh,SaurabhVerma,Swathi SriVRayala,RakeshB.Bobba,KonstantinBeznosov,andHyoungshick Kim

• InOctober2014,ApplelaunchediPhone6andApplePay

• Marketingpitchwas:tap-and-paywithiPhonesinstoresisfaster andmoresecure

• ApplePayquicklybecamethebiggesttap-and-paymobilepaymentsystemintheUS

• Accountingfor$2outofevery$3processedthroughcontactlesspayment


• GooglelaunchedtheirownmobilepaymentsolutioncalledAndroidPayaroundSeptember2015

• AlsoclaimingthatAndroidPayismoreconvenientandsecurethanswipe-and-paywithtraditionalcreditcards


• Howpopulararethetwotechnologies?

• Whydopeopleuseornotusethem?Howimportantaresecurityandusabilityfactorsinaffectingpeople’sdecisions?

• Whatarespecificusabilityandsecurityconcerns?

• Arethereanysecurityorusabilitymisconceptions?


• Conductedsemi-structuredinterviewstoidentifyhypotheses

• ConductedontwodifferentparticipantpoolswithintheUS:• 21participantsfromauniversity• 15participantsthroughonlineadvertisements(e.g.,Craiglist)

• Conductedbytworesearcherstogethertoensureallquestionswereaskedconsistently

• Averagetimetakenwas35minutes• Separatelyperformedthematicanalysisofeachinterview,independentlycreatinglistofthemes(“codes”)


• Usage: weaskedabouttheirfamiliaritywithApple(Android)Pay,andwhethertheyuseittopayinstores

• Whyuseornotuse• Askedwhytheyuse,notuse,orstoppedusingApple(Android)Pay

• Askedhowtheyfeelaboutsecurityandusability

• Familiaritywithsecurity: askedwhethertheyunderstand• HowApple(Android)Payprotecttheirtap-and-paytransactionprivacyandsecurity

• Howitprotectscarddetails• Howitensuresonlytheycanpaywiththeirphone


• Aftermergingthecodesfrombothgroups,thethreedominantfactorsforusing ApplePaywere

• More secure (12)• Faster (11)• More convenient (12)



• Fornotusing ApplePaythedominantfactorswere• Not many stores support it (6)• Less secure (6)



AndroidPayresults• Forusing AndroidPaythedominantfactorswere

• More convenient (4)

• More private (4)

• For not using Android Pay,• Not many stores support it (6)• Less secure (5)• Less convenient (5)




Secondstudy:onlinesurvey• Alarge-scaleonlinesurveywasconductedtoaddresslimitationsofthefirststudy,andtesthypotheses

• Designedbasedonthecodesidentifiedinthefirststudy,followingthesamestructure

• RecruitedparticipantthroughAmazonMechanicalTurkbetweenMarchandApril2016

• LimitedtoUSparticipants• ParticipateonlyiftheyhavesomefamiliaritywithApple(Android)Pay,andownsaphonethatsupportsit


Validatingresponses• Participantswereaskedtosubmittwophotos


• Excluded responses from those who- Didn’t provide photos- Didn’t follow instructions- Provided photos that do not match their claimed model- Provided photos of devices that do not support Apple (Android) Pay

Option ApplePay AndroidPayNo,Ihaveneverusedit 189(54%) 330(64%)Yes,Iuseit 124(36%) 100(21%)Iwasusingitinthepastbutstoppedusingit

36(10%) 81(15%)

Reasonsfornotusing ApplePay


Reasonsfornotusing AndroidPay


Reasonsforusing ApplePay


Reasonsforusing AndroidPay


UsingPearson’scorrelation,wefoundapositivecorrelation(ρ =0.19,p<0.0001)

Wefoundapositivecorrelation(ρ =0.20,p<0.0001)

Perceptionofsecurity• Tothenonuserswhochoseless secure asthetopconcern,weasked

• Whydoyoufeelit’slesssecure?• IfyoulearnthatusingApple(Android)Payismoresecure,wouldyouthenuseittopayinstores?

• ForApplePay,10outof12 saidyestothesecondquestion.ForAndroidPay,8outof14 saidyes.

• Tothefirstquestion,• Insecure storage of card information wasmostfrequentlymentioned(13outof26)

• Butonly2outofthat13correctlyansweredthequestionaboutcardprotectionmechanisms

• Stealing phone and making purchases wasalsopopular(7outof26)


Overcomingsecuritymisconceptions• Insecure storage of card information

• Educatingnonusersaboutthecardinformationprotectiontechnologiescouldhelpthemovercomethissecuritymisconception

• Stealing phone and making purchases

• Learning about authentication mechanisms and lost/stolen phone features (that allows one to quickly disable mobile tap-and-pay remotely)

• Help nonusers realize that using stolen phones to make purchases is harder than physically using stolen cards


Conclusions• Mobiletap-and-payadoptionrateisactuallyquitelow!!

• Securitywasthetopconcernformanynonusers• Commonsecuritymisconceptionwasthatthecardinformationarenot


• Wefoundapositivecorrelationbetweenthesecurityknowledgelevelsandthelikelihoodofusingmobiletap-and-pay

• Furtherinvestigationisneededtostudythecausalrelations• Manynonusersmentionedthatiftheylearnmobiletap-and-payismore


• AppleandGooglecouldpotentiallyimproveadoptionratesbyeducatingpeopleaboutthesecurityprotections,andaddressingtheirsecuritymisconceptions