The security pros and cons of ApplePay

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Acohido 

Apple­Pay, the new mobile pay­ments ser­vice intro­duced by Apple this week, could ulti­mate­ly set the secu­ri­ty and pri­va­cy bench­marks for dig­i­tal wal­lets much higher.

Even so, the hunt for secu­ri­ty holes and pri­va­cy gaps in Apple’s new dig­i­tal wal­let has com­menced. It won’t take long for both white hat researchers and well-fund­ed crim­i­nal hack­ers to uncov­er weak­ness­es that nei­ther Apple nor its bank­ing indus­try part­ners thought of.

Here’s ThirdCertainty’s break­down of the secu­ri­ty and pri­va­cy issues stirred by Apple’s bold move into the dig­i­tal wal­let business.

Apple­Pay defined

Avail­able on the new iPhone 6 and Apple Watch, Apple­Pay stores account num­bers on a ded­i­cat­ed chip. Apple refers to this chip as the “secure ele­ment” only avail­able n the iPhone 6 and iPhone 6 plus. It is on this chip that your your finan­cial infor­ma­tion is stored. It is only accessed when a ran­dom 16-dig­it num­ber gets gen­er­at­ed for a giv­en trans­ac­tion, and it nev­er makes it to the phones soft­ware, where hack­ers could reach it.

The devices then use Near Field Com­mu­ni­ca­tion (NFC) to send a sim­ple token, instead of the full account num­ber, to the merchant’s NFC-enabled point-of-sale register.

This allows an ultra secure pay­ment,” Antho­ny Antoli­no, busi­ness devel­op­ment offi­cer at Eye­lock, a bio­met­rics tech­nol­o­gy ven­dor. “The only remain­ing con­cern is keep­ing the smart phone under your control.”

Apple tight­ens down who can con­trol each device by inte­grat­ing itsTouch ID fin­ger­print scan­ner and its Pass­book tick­et-buy­ing app into Apple­Pay. This new approach keeps per­son­al infor­ma­tion on the device – instead of mov­ing account data into stor­age servers with­in easy reach of thieves. The hacks of big mer­chants in the Unit­ed States and Europe, includ­ing Home Depot, Tar­get, P.F. Chang’s and Neiman Mar­cus, show how adept data thieves have become at attack­ing stored data.

How Apple­Pay improves security

Apple­Pay val­i­dates a “data-cen­tric secu­ri­ty mod­el,” argues Mark Bow­er, prod­uct man­age­ment vice pres­i­dent at Volt­age Secu­ri­ty.

The pay­ments world needs to move on from vul­ner­a­ble sta­t­ic cred­it card num­bers and mag­net­ic stripes to pro­tect­ed ver­sions of data,” Bow­er says. “Tok­enized pay­ments reduce the risk of data breach­es and cred­it card theft.”

Math­ew Row­ley, tech­ni­cal direc­tor at secu­ri­ty con­sul­tan­cy NCC Group, observes that the U.S. pay­ment card indus­try con­tin­ues to require min­i­mal secu­ri­ty checks in autho­riz­ing cred­it and deb­it card purchases.

Things like chip-and-PIN and two-fac­tor cred­it cards have been imple­ment­ed in oth­er coun­tries, but the U.S. seems to be behind the curve,” says Row­ley. “Any addi­tion­al log­ic built into the process of mak­ing pay­ments will make it more secure.”

How Apple­Pay intro­duces new risks

Adding a mobile wal­let func­tion to the lat­est iPhone gives crim­i­nal hack­ers more incen­tive and oppor­tu­ni­ty to find fresh vul­ner­a­bil­i­ties, says Mike Park, man­ag­ing con­sul­tant at Trust­wave.

Any new addi­tions and func­tion­al­i­ty to a plat­form, even ones meant to enhance secu­ri­ty, can expand the attack sur­face,” says Park. “With the intro­duc­tion of this type of func­tion­al­i­ty into a plat­form, this makes every device a pos­si­ble target.”

The more pop­u­lar Apple­Pay becomes, the more like­ly cyber­crim­i­nals will devote resources into crack­ing in. Research from legit sources already is avail­able show­ing how to hack into NFC sys­tems, as this 2012 report from Accu­vant reseach­er Char­lie Miller.

It’s prob­a­ble that elite crim­i­nal hack­ers “are look­ing to steal iden­ti­ties and mass har­vest pay­ment card infor­ma­tion as they do in oth­er plat­forms and ver­ti­cals now,” Park says.

One sim­ple crime would be to tar­get Apple devices for phys­i­cal theft. Anoth­er is to fig­ure out how to remote­ly access and manip­u­late Apple­Pay accounts.  “The weak­est link is the con­sumer,” says Alis­dair Faulkn­er, chief prod­ucts offi­cer at Threat­Metrix. “And ulti­mate­ly a web page with a user­name and login, like iCloud, now has an unprece­dent­ed amount of infor­ma­tion about you backed up into the cloud.”

Push­ing pay­ments to mobile devices makes Inter­net cloud ser­vices more com­plex – and com­plex­i­ty cre­ates vulnerabilities.

In the past the only par­tic­i­pants were the mer­chant, the merchant’s bank and your per­son­al bank,” says Richard Moulds, vice pres­i­dent of prod­uct strat­e­gy at Thales e-Secu­ri­ty. “Apple is stat­ing that they will not know the details of indi­vid­ual trans­ac­tions which is very impor­tant, how­ev­er there is clear­ly the risk of attacks on the phone itself.”






Posted in Data Security, News & Analysis