Apple has unveiled a new mobile wallet system called Apple Pay, which uses NFC for contactless payments. Sophie Curtis examines its security features.
During the company’s launch event, Apple’s senior vice president of Internet Software and Services, Eddy Cue, stressed that security and privacy is at the core of Apple Pay.
“When you’re using Apple Pay in a store, restaurant or other merchant, cashiers will no longer see your name, credit card number or security code, helping to reduce the potential for fraud,” he said.
“Apple doesn’t collect your purchase history, so we don’t know what you bought, where you bought it or how much you paid for it. And if your iPhone is lost or stolen, you can use Find My iPhone to quickly suspend payments from that device.”
The company added that credit and debit card numbers are not stored on the device, nor on Apple’s servers. Instead, a unique “device account number” is assigned, encrypted and stored in the secure element on the iPhone or Apple Watch.
Each transaction is authorised with a one-time unique number, and instead of using the security code from the back of your card, Apple Pay creates a “dynamic security code” to securely validate each transaction.
This all sounds very reassuring, and security experts have praised the feature, claiming it as a “huge win for credit card security” – particularly in the United States, where most people still use payment cards with magnetic stripes.
“This is really a great way for Apple to push a much more secure payment authentication process out to the masses,” said Tom Pageler, chief information security officer at DocuSign.
“It appears that users will synchronise Apple Pay with their credit cards through their iTunes account, which is linked to their device. The data provided to the merchant won’t be card data, but some type of dynamic data that can only be used once.
“This will be a much safer transaction for consumers and merchants because the data is created for a one-time transaction-specific use case. The large data breaches we’ve heard about recently at Home Depot andTarget would not be able to occur again because transactions don’t produce reusable data.”
Mark Bower, vice president of product management at Voltage Security, also praised the new system, claiming that Apple has shone a light on the need for the payment world to move on from vulnerable static credit card numbers and magnetic stripes to protected versions of data.
“Through the use of this data-centric security strategy, Apple Pay reduces risk of data breaches and credit card theft where it is supported,” he said.
However, Tobias Schreyer, co-founder and chief commercial officer at the PPRO Group, said that security is still an issue that consumers need to be aware of – especially considering the considerable amount of loss and theft associated with mobile devices, and the increase in targeted attacks.
“This development increases the need for biometrics as a confirmation process, providing customers with an easier, more efficient experience which they’ve come to expect, and which will be a major change within the industry,” said Schreyer.
Graham Hann, partner at international law firm Taylor Wessing, also said that security of payment data will remain a key concern among consumers, and statistics suggesting that iPhones are the most stolen handset might hinder take-up slightly.
Interestingly, by allowing iPhone 5 and 5c owners to use Apple Pay via the Watch, Apple will potentially be allowing users to make payments without any biometric identification, as neither of these devices have Touch ID.
However, it is thought that the value of transactions which are carried out without the fingerprint reader will be limited – just as contactless card payments in the UK are limited to under £15.
Other security experts have questioned the reliability of the fingerprint scanner. Adam Smith, director at Piccadilly Group, said: “Many consumer grade fingerprint scanners are less than infallible – so we’ll have to see how good Apple’s scanner is in practice.”
Dmitry Bestuzhev, Director of the Kaspersky’s Global Research and Analysis Team Latin America, also pointed out that the Touch ID on the doesn’t always work properly – for example, if your fingers are wet – which is why Apple also allows customers to input a PIN. “This shortcut scheme can abused by cybercriminals while authorising payments,” he said.
Tim Erlin, director of IT risk and security strategy at Tripwire, said that NFC isn’t as well tested from a security perspective as the more common wireless technologies.
“If the Apple Watch takes off in the market, it will quickly become an interesting target for attackers. We may see the rise of the modern day pickpocket. After all, attackers follow the money, so if Apple puts your money ‘on’ a watch , it suddenly becomes a very interesting target.”
However, Mark Prior-Egerton, solutions marketing manager at The Logic Group, said that a lot has been done to allay security concerns about NFC in recent years, since the launch of other mobile wallet solutions such as the Google Wallet and PayPal apps.
“The move towards host card emulation, (a technology that emulates a payment card on a mobile device using only software), for instance, has negated the common fear of ‘what happens if I lose my phone?’ This will help reassure consumers as they move to this new way of payments,” he said.
It is likely that the true security implications of Apple Pay will only become clear once iPhone 6 has launched – until then, the industry can only really guess at the potential pitfalls.
However, Apple has made it clear that the security of its mobile wallet is a top priority, and with buy-in from American Express, MasterCard and Visa, as well as many of the most popular US banks, the industry has a huge vested interest in making it work.