This is an interesting to think about. Say you're at an ice cream stand that has a Square Reader (the little square hockey puck reader) that's paired with an iPhone running Square's payment reader.

The merchant rings you up for $5, shows you the phone in their hand indicating the cost, and the Square Reader lights up to show it's ready for payment. You pay via inserting your credit card, which processes in a few seconds, and then the payment is complete. The merchant is no longer showing you the phone, and presumably hits "No Receipt".

However, the merchant actually has a second out of sight device that is set to charge $500 and is actually paired with the Square Reader. Because you've paid with a physical card, there's a good chance you won't notice the charge till you go to pay your credit card or check your bank account.

This would probably be a short-lived scam, as the merchant's malicious Square account would have to be linked to a bank (I think this is the only option), which would identify them. I'm pretty sure Square requires ID verification of some sort as well. So reporting this malicious transaction to your bank/credit card would flag them.

Additionally, if you're paying via a mobile wallet, you'll likely get an immediate notification saying "You paid $500 to Malicious Ice Cream Vendor".

Now let's think about Apple's new plan. It could be that Apple layer's it's own mandatory interface that shows "Pay $5 to Ice Cream Vendor" regardless of the app being used. Maybe this is actually the employee's phone instead of the company's device, but that's the same as the employee stealing cash out of the register, so not really your issue.

Or Apple could not layer it's own UI, and just open up the radio as an API. Apple could require that apps that use this API to have some additional verification to prevent someone from making an app that displays "Charge $5" when it's really charging $500.

All that being said, I only see smaller merchants using iPhones + Square Readers. Maybe some boutique stores, food trucks, etc. Once a store gets large enough, they usually want dedicated hardware, even if it's a Square Stand.

---

Here's Square's hardware page if you want visuals: https://squareup.com/au/en/hardware

Wouldn't you just get a notification on your phone from your credit card or bank app to say how much the transaction is for and to whom. Then you'd know straight away that something is wrong.

Can’t you turn on in your bank app to get a push notification immediately on every transaction? I have this turned on for both of my credit card accounts, so literally within a second or two of tapping or inserting (whether physical card, or Apple Pay on the watch or phone) I get a notification telling me how much was just charged to my card.

Useful for double checking that something hasn’t gone wrong and I haven’t been charged the wrong amount! I’d also see if a fraudulent transaction went through.

Why do I currently trust any contactless payment terminal to debit the right amount from my Visa card ? The trust is built with every transaction.

The first time I used one of those strange little white terminals it seemed a bit dodgy ... but you pretty quickly come to trust that what's on the screen is what gets debited.

Also I doubt Apple would leave a nice app-accessible text field on the Tap To Pay dialog where I can insert my fake amount. Right ?!

You don't have to trust them, you trust your credit card company. All you have to do is tell them its fraud and the charge goes away.