ApplePay, the mobile payments service introduced by Apple in October 2014, could ultimately set the security and privacy benchmarks for digital wallets much higher.
Even so, the hunt for security holes and privacy gaps in Apple’s new digital wallet has commenced. It won’t take long for both white hat researchers and well-funded criminal hackers to uncover weaknesses that neither Apple nor its banking industry partners thought of.
Here’s ThirdCertainty’s breakdown of the security and privacy issues stirred by Apple’s bold move into the digital wallet business.
Available on the iPhone 6 and Apple Watch, ApplePay stores account numbers on a dedicated chip. Apple refers to this chip as the “secure element” only available n the iPhone 6 and iPhone 6 plus. It is on this chip that your financial information is stored. It is only accessed when a random 16-digit number gets generated for a given transaction, and the number never makes it to the phone’s software, where hackers could reach it.
The devices then use near field communication (NFC) to send a simple token, instead of the full account number, to the merchant’s NFC-enabled point-of-sale register.
“This allows an ultra secure payment,” says Anthony Antolino, business development officer at Eyelock, a biometrics technology vendor. “The only remaining concern is keeping the smart phone under your control.”
Apple tightens down who can control each device by integrating itsTouch ID fingerprint scanner and its Passbook ticket-buying app into ApplePay. This new approach keeps personal information on the device – instead of moving account data into storage servers within easy reach of thieves. The hacks of big merchants in the U.S. and Europe, including Home Depot, Target, P.F. Chang’s and Neiman Marcus, show how adept data thieves have become at attacking stored data.
How ApplePay improves security
ApplePay validates a “data-centric security model,” argues Mark Bower, product management vice president at Voltage Security.
“The payments world needs to move on from vulnerable static credit card numbers and magnetic stripes to protected versions of data,” Bower says. “Tokenized payments reduce the risk of data breaches and credit card theft.”
Mathew Rowley, technical director at security consultancy NCC Group, observes that the U.S. payment card industry continues to require minimal security checks in authorizing credit and debit card purchases.
“Things like chip-and-PIN and two-factor credit cards have been implemented in other countries, but the U.S. seems to be behind the curve,” Rowley says. “Any additional logic built into the process of making payments will make it more secure.”
How ApplePay introduces new risks
Adding a mobile wallet function to the latest iPhone gives criminal hackers more incentive and opportunity to find fresh vulnerabilities, says Mike Park, managing consultant at Trustwave.
“Any new additions and functionality to a platform, even ones meant to enhance security, can expand the attack surface,” Park says. “With the introduction of this type of functionality into a platform, this makes every device a possible target.”
The more popular ApplePay becomes, the more likely cybercriminals will devote resources to cracking in. Research from legit sources already is available showing how to hack into NFC systems — for instance this 2012 report from Accuvant reseacher Charlie Miller.
It’s probable that elite criminal hackers “are looking to steal identities and mass harvest payment card information as they do in other platforms and verticals now,” Park says.
One simple crime would be to target Apple devices for physical theft. Another is to figure out how to remotely access and manipulate ApplePay accounts. “The weakest link is the consumer,” says Alisdair Faulkner, chief products officer at ThreatMetrix. “And ultimately a web page with a username and login, like iCloud, now has an unprecedented amount of information about you backed up into the cloud.”
Pushing payments to mobile devices makes Internet cloud services more complex – and complexity creates vulnerabilities.
“In the past, the only participants were the merchant, the merchant’s bank and your personal bank,” says Richard Moulds, vice president of product strategy at Thales e-Security. “Apple is stating that they will not know the details of individual transactions, which is very important; however, there is clearly the risk of attacks on the phone itself.”