ApplePay, the new mobile payments service introduced by Apple this week, could ultimately set the security and privacy benchmarks for digital wallets much higher.
Even so, the hunt for security holes and privacy gaps in Apple’s new digital wallet has commenced. It won’t take long for both white-hat researchers and well-funded criminal hackers to uncover weaknesses that neither Apple nor its banking industry partners thought of.
Here’s a breakdown of the security and privacy issues stirred by Apple’s bold move into the digital wallet business.
Available on the new iPhone 6 and Apple Watch, ApplePay stores your Device Account Number on a dedicated chip. The devices then use Near Field Communication (NFC) to send a simple token, instead of the full credit card account number, to the merchant’s NFC-enabled point-of-sale register.
“This allows an ultra-secure payment,” according to Anthony Antolino, business development officer at Eyelock, a biometrics technology vendor. “The only remaining concern is keeping the smartphone under your control.”
Apple tightens down who can control each device by integrating its Touch ID fingerprint scanner and its Passbook ticket-buying app into ApplePay. This new approach keeps personal information on the device — instead of moving account data into storage servers within easy reach of thieves. The hacks of big merchants in the United States and Europe, including Home Depot, Target, P.F. Chang’s and Neiman Marcus, show how adept data thieves have become at attacking stored data.
How ApplePay Improves Security
ApplePay validates a “data-centric security model,” argues Mark Bower, product management vice president at Voltage Security.
“The payments world needs to move on from vulnerable static credit card numbers and magnetic stripes to protected versions of data,” Bower says. “Tokenized payments reduce the risk of data breaches and credit card theft.”
Mathew Rowley, technical director at security consultancy NCC Group, observes that the U.S. payment card industry continues to require minimal security checks in authorizing credit and debit card purchases.
“Things like chip-and-PIN and two-factor credit cards have been implemented in other countries, but the U.S. seems to be behind the curve,” says Rowley. “Any additional logic built into the process of making payments will make it more secure.”
How ApplePay Introduces Risks
Adding a mobile wallet function to the latest iPhone gives criminal hackers more incentive and opportunity to find fresh vulnerabilities, says Mike Park, managing consultant at Trustwave.
“Any new additions and functionality to a platform, even ones meant to enhance security, can expand the attack surface,” says Park. “With the introduction of this type of functionality into a platform, these makes every device a possible target.”
The more popular ApplePay becomes, the more likely cybercriminals will devote resources into cracking in. Research from legit sources already is available showing how to hack into NFC systems.
It’s probable that elite criminal hackers “are looking to steal identities and mass-harvest payment card information as they do in other platforms and verticals now,” Park says.
One simple crime would be to target Apple devices for physical theft. Another is to figure out how to remotely access and manipulate ApplePay accounts. “The weakest link is the consumer,” says Alisdair Faulkner, chief products officer at ThreatMetrix. “And ultimately a web page with a username and login, like iCloud, now has an unprecedented amount of information about you backed up into the cloud.”
More on Identity Theft:
- Identity Theft: What You Need to Know
- 3 Dumb Things You Can Do With Email
- The Risks You Face From Identity Theft