IDon’tUseApplePayBecauseIt’sLessSecure...:PerceptionofSecurityandUsabilityinMobileTap-and-Pay

JunHoHuh,SaurabhVerma,Swathi SriVRayala,RakeshB.Bobba,KonstantinBeznosov,andHyoungshick Kim

ApplePay

• InOctober2014,ApplelaunchediPhone6andApplePay

• Marketingpitchwas:tap-and-paywithiPhonesinstoresisfaster andmoresecure

• ApplePayquicklybecamethebiggesttap-and-paymobilepaymentsystemintheUS

• Accountingfor$2outofevery$3processedthroughcontactlesspayment

2

3

AndroidPay

• GooglelaunchedtheirownmobilepaymentsolutioncalledAndroidPayaroundSeptember2015

• AlsoclaimingthatAndroidPayismoreconvenientandsecurethanswipe-and-paywithtraditionalcreditcards

4

Researchquestions

• Howpopulararethetwotechnologies?

• Whydopeopleuseornotusethem?Howimportantaresecurityandusabilityfactorsinaffectingpeople’sdecisions?

• Whatarespecificusabilityandsecurityconcerns?

• Arethereanysecurityorusabilitymisconceptions?

5

Firststudy:in-personinterviews

• Conductedsemi-structuredinterviewstoidentifyhypotheses

• ConductedontwodifferentparticipantpoolswithintheUS:• 21participantsfromauniversity• 15participantsthroughonlineadvertisements(e.g.,Craiglist)

• Conductedbytworesearcherstogethertoensureallquestionswereaskedconsistently

• Averagetimetakenwas35minutes• Separatelyperformedthematicanalysisofeachinterview,independentlycreatinglistofthemes(“codes”)

6

Interviewquestions

• Usage: weaskedabouttheirfamiliaritywithApple(Android)Pay,andwhethertheyuseittopayinstores

• Whyuseornotuse• Askedwhytheyuse,notuse,orstoppedusingApple(Android)Pay

• Askedhowtheyfeelaboutsecurityandusability

• Familiaritywithsecurity: askedwhethertheyunderstand• HowApple(Android)Payprotecttheirtap-and-paytransactionprivacyandsecurity

• Howitprotectscarddetails• Howitensuresonlytheycanpaywiththeirphone

7

ApplePayresults

• Aftermergingthecodesfrombothgroups,thethreedominantfactorsforusing ApplePaywere

• More secure (12)• Faster (11)• More convenient (12)

Hypothesis1:usabilityisamoreimportantfactorthansecurityforusingApplePay

8

“It’smoreconvenient..ratherthantakingmywallet,findingmycard,andswipingit..”(P7)

“..youhaveto..authorize[itsuse]withthethumbprint.Sothatmakes[ApplePay]very

secure.”(P13)

9

ApplePayresults

• Fornotusing ApplePaythedominantfactorswere• Not many stores support it (6)• Less secure (6)

Hypothesis2:securityisamoreimportantfactorthanusabilityfornotusingApplePay

10

“ItisnotobviouswhereyoucanandcannotuseApplePay”(P1)

“IfmyPINiscompromised,IcanresetittoanotherPIN.Butmybiometricinformationcannotbe

reset..”(P14)

11

AndroidPayresults• Forusing AndroidPaythedominantfactorswere

• More convenient (4)

• More private (4)

• For not using Android Pay,• Not many stores support it (6)• Less secure (5)• Less convenient (5)

Hypothesis3:thereisnostatisticallysignificantdifferencebetweentheimportanceofusabilityandsecurityfactorswhenitcomesto

usingornotusingAndroidPay

12

Secondstudy:onlinesurvey• Alarge-scaleonlinesurveywasconductedtoaddresslimitationsofthefirststudy,andtesthypotheses

• Designedbasedonthecodesidentifiedinthefirststudy,followingthesamestructure

• RecruitedparticipantthroughAmazonMechanicalTurkbetweenMarchandApril2016

• LimitedtoUSparticipants• ParticipateonlyiftheyhavesomefamiliaritywithApple(Android)Pay,andownsaphonethatsupportsit

13

Validatingresponses• Participantswereaskedtosubmittwophotos

14

• Excluded responses from those who- Didn’t provide photos- Didn’t follow instructions- Provided photos that do not match their claimed model- Provided photos of devices that do not support Apple (Android) Pay

Adoptionrates

15

Option ApplePay AndroidPayNo,Ihaveneverusedit 189(54%) 330(64%)Yes,Iuseit 124(36%) 100(21%)Iwasusingitinthepastbutstoppedusingit

36(10%) 81(15%)

Reasonsfornotusing ApplePay

16

Reasonsfornotusing AndroidPay

17

Reasonsforusing ApplePay

18

Reasonsforusing AndroidPay

19

SecurityknowledgeandApplePayadoptionrate

20

UsingPearson’scorrelation,wefoundapositivecorrelation(ρ =0.19,p<0.0001)

SecurityknowledgeandAndroidPayadoptionrate

21

Wefoundapositivecorrelation(ρ =0.20,p<0.0001)

Perceptionofsecurity• Tothenonuserswhochoseless secure asthetopconcern,weasked

• Whydoyoufeelit’slesssecure?• IfyoulearnthatusingApple(Android)Payismoresecure,wouldyouthenuseittopayinstores?

• ForApplePay,10outof12 saidyestothesecondquestion.ForAndroidPay,8outof14 saidyes.

• Tothefirstquestion,• Insecure storage of card information wasmostfrequentlymentioned(13outof26)

• Butonly2outofthat13correctlyansweredthequestionaboutcardprotectionmechanisms

• Stealing phone and making purchases wasalsopopular(7outof26)

22

Overcomingsecuritymisconceptions• Insecure storage of card information

• Educatingnonusersaboutthecardinformationprotectiontechnologiescouldhelpthemovercomethissecuritymisconception

• Stealing phone and making purchases

• Learning about authentication mechanisms and lost/stolen phone features (that allows one to quickly disable mobile tap-and-pay remotely)

• Help nonusers realize that using stolen phones to make purchases is harder than physically using stolen cards

23

Conclusions• Mobiletap-and-payadoptionrateisactuallyquitelow!!

• Securitywasthetopconcernformanynonusers• Commonsecuritymisconceptionwasthatthecardinformationarenot

securelystored,andstealingphoneandmakingpurchasesiseasy

• Wefoundapositivecorrelationbetweenthesecurityknowledgelevelsandthelikelihoodofusingmobiletap-and-pay

• Furtherinvestigationisneededtostudythecausalrelations• Manynonusersmentionedthatiftheylearnmobiletap-and-payismore

secure,theywoulduseit

• AppleandGooglecouldpotentiallyimproveadoptionratesbyeducatingpeopleaboutthesecurityprotections,andaddressingtheirsecuritymisconceptions

24