Apple Pay the Answer
year. MC is co-owned by a number of large retail chains, and CurrentC recently made the news when hackers reportedly stole email addresses from the company. An issue with any new payment system is that when it is new, it is relatively untested. It’s only after the system has been in operation for months or even years that any vulnerabilities are likely to be spotted and fixed. So what can we say about the security of Apple Pay. Apple Pay Challenges One possible weak point involves using Apple’s Touch ID fingerprint recognition system to authenticate that you are the owner of the device making the payment. It’s a possible weak point because Touch ID can be bypassed relatively easily using fingerprints lifted from glass, security experts have found.
David Emm, principal security researcher at ussia-based aspersky Lab, points out that criminal gangs seeking to steal money from payment systems tend to operate on a large scale. “If they wanted to subvert the system using this approach, then they would have to obtain lots of fingerprints which would be difficult,” he says. “It’s not something that you can do at scale.” That means hackers will likely probe for other weak points in the Apple Pay payment system that can be more easily compromised.
Apple Pay uses a system called tokenization, which replaces information about credit cards with other data. That means that your credit card information is not stored on your mobile device - or on Apple’s servers, for that matter. The exception to this is when you first enroll a credit card into the system. This is done by taking a photograph of the card or entering the card details manually. This is a weak point in the process because this is the one time you interact with your card data, says another security expert.
Credit card information could be harvested as it is entered by hackers using malware or exploiting misconfigurations or flaws in the iOS software. “Apple is certainly not immune to bugs, and it’s really almost inevitable that there are some in there,” he says. This is illustrated by the fact that Apple actively works to prevent its iOS operating system being “jailbroken,” yet every version of iOS, including the current iOS 8, has been successfully jailbroken by enthusiasts who have found and exploited bugs in Apple’s code. As yet there is no known malware that can steal credit card details from Apple Pay, and no operating system vulnerabilities are publicly known to exist. But that doesn’t mean such malware isn’t already under development, or that hackers aren’t actively searching for vulnerabilities in iOS that can be exploited to allow them to steal the information they are after. Apple Pay and NFC Apple Pay uses near field communication C to communicate one-time transaction information (not credit card information) with retail point-of-sale PoS systems, and in theory this is might be another weak point in the system. Adding NFC to a device might introduce risk. When there is a new communications system in a device, then there is an opportunity to compromise the device itself.
Apple Pay includes protections against replay attacks in which transaction details transmitted by C are intercepted by a hacker to be re-used later. Such protections make it difficult for a hacker to compromise the payment system using a technique such as attaching a hidden NFC receiver to a retailer’s PoS hardware. Kaspersky’s David Emm points out that replay protection may make it difficult, but not necessarily impossible, for hackers to compromise Apple Pay at the point-of-sale. People think up ingenious things, and they will certainly look at all the possibilities. Efforts to subvert the system will certainly go on,” he says. “To overcome the onetime nature of data intercepted using an NFC receiver, hackers might attempt to use it to execute a transaction at the same time,” he adds. “You would effectively have a race condition (with hackers attempting to get their transactions through before the legitimate one). But this would be difficult because the transaction still has to go to the bank payment system, and the attacker wouldn’t have the necessary authentication data.” Moving Target Attempting to steal card data when it is entered into devices using malware, exploiting vulnerabilities in Apple’s operating system or attempting to compromise the payment system during NFC transmissions likely won’t turn out to be the primary focus for attackers, said a security expert. “I think what we will see is attackers shifting from merchant and consumer devices to attacks against payment gateways and payment networks themselves, like we saw in the recent attack on JP Morgan Chase,” he says. “The attack point will shift to banks’ back-end systems. These sorts of attacks are likely to more profitable, he believes. Apple Pay vs. Other Mobile Payment Systems How does Apple Pay compare to other mobile payment systems? CurrentC has not yet launched so it’s hard to say how secure it will prove to be, although it doesn’t store sensitive information in mobile devices’ secure elements. Instead, credit card data is stored in the cloud and a CurrentC application will generate a QR code that can be scanned to perform a transaction. Google Wallet and Softcard do use the secure element (like Apple Pay), and transactions are protected by a PIN. A major difference between Apple Pay and Google Wallet comes down to who you are forced to trust. “With Apple Pay, you trust Apple with the technology and your bank with your credit card information. With Google Wallet you trust your credit card and the technology to Google, so this does introduce a single point of failure that Apple Pay doesn’t have,” he says.
Although the actual transactions are not identical, with Google Wallet creating a virtual credit card while Apple Pay uses tokenization, “they are pretty much parallels (in terms of security),” states one security analyst. When it comes to emerging payment methods like Apple Pay, perhaps the best way to look at it is not whether they are secure -- as nothing is 100 percent secure -- but whether using them is more secure than using credit cards. We know that the magnetic strip and signature system of credit cards used today is not very secure at all - BI Intelligence estimates that credit card fraud in 2013 in the U.S. amounted to about $7.1 billion, more than half of all global payment card fraud costs. When more secure credit cards with EMV chips (sometimes known as chip and PIN) become more commonplace in 2015, the rate of fraud is likely to fall. But even after the introduction of more secure credit cards this year, many believe that Apple Pay will prove to be more secure. “Apple’s system is a clear enhancement over chip and PIN,” as some expert believe. “It’s a win for customers, and for retailers that choose to take it -which they really should.
Let’s bring this discusMichael. okeke@ thisdaylive.com