Apple Pay was launched on Oct. 20 and, thanks to all the media excitement, you could be forgiven for thinking that it was the first mobile payment system to be introduced to the world.
In fact there are plenty of others, most notably Google Wallet and Softcard. Another system, called CurrentC, is being developed by a venture called Merchant Customer Exchange (MCX) and is due to be rolled out to 110,000 merchants in the U.S. in 2015. MCX is co-owned by a number of large retail chains, and CurrentC recently made the news when hackers reportedly stole email addresses from the company.
An issue with any new payment system is that when it is new, it is relatively untested. It’s only after the system has been in operation for months or even years that any vulnerabilities are likely to be spotted and fixed.
So what can we say about the security of Apple Pay so soon after its launch?
Apple Pay Weaknesses
One possible weak point involves using Apple’s Touch ID fingerprint recognition system to authenticate that you are the owner of the device making the payment. It’s a possible weak point because Touch ID can be bypassed relatively easily using fingerprints lifted from glass, security experts have found.
But David Emm, principal security researcher at Russia-based Kaspersky Lab, points out that criminal gangs seeking to steal money from payment systems tend to operate on a large scale. “If they wanted to subvert the system using this approach, then they would have to obtain lots of fingerprints which would be difficult,” he says. “It’s not something that you can do at scale.”
That means hackers will likely probe for other weak points in the Apple Pay payment system that can be more easily compromised.
Apple Pay uses a system called tokenization, which replaces information about credit cards with other data. That means that your credit card information is not stored on your mobile device – or on Apple’s servers, for that matter.
The exception to this is when you first enroll a credit card into the system. This is done by taking a photograph of the card or entering the card details manually. “This is a weak point in the process because this is the one time you interact with your card data,” says Bob Doyle, a security consultant at Massachusetts-based security company Neohapsis.
Credit card information could be harvested as it is entered by hackers using malware or exploiting misconfigurations or flaws in the iOS software. “Apple is certainly not immune to bugs, and it’s really almost inevitable that there are some in there,” he says.
This is illustrated by the fact that Apple actively works to prevent its iOS operating system being “jailbroken,” yet every version of iOS, including the current iOS 8, has been successfully jailbroken by enthusiasts who have found and exploited bugs in Apple’s code.
As yet there is no known malware that can steal credit card details from Apple Pay, and no operating system vulnerabilities are publicly known to exist. But that doesn’t mean such malware isn’t already under development, or that hackers aren’t actively searching for vulnerabilities in iOS that can be exploited to allow them to steal the information they are after.
Apple Pay uses near field communication (NFC) to communicate one-time transaction information (not credit card information) with retail point-of-sale (PoS) systems, and in theory this is another weak point in the system, says Doyle. “Adding NFC to a device introduces risk,” he says. “When there is a new communications system in a device, then there is an opportunity to compromise the device itself.”
But he adds that Apple Pay includes protections against replay attacks in which transaction details transmitted by NFC are intercepted by a hacker to be re-used later. Such protections make it difficult for a hacker to compromise the payment system using a technique such as attaching a hidden NFC receiver to a retailer’s PoS hardware.
Kaspersky’s David Emm points out that replay protection may make it difficult, but not necessarily impossible, for hackers to compromise Apple Pay at the point-of-sale. “People think up ingenious things, and they will certainly look at all the possibilities. Efforts to subvert the system will certainly go on,” he says.
“To overcome the onetime nature of data intercepted using an NFC receiver, hackers might attempt to use it to execute a transaction at the same time,” he adds. “You would effectively have a race condition (with hackers attempting to get their transactions through before the legitimate one). But this would be difficult because the transaction still has to go to the bank payment system, and the attacker wouldn’t have the necessary authentication data.”
Attempting to steal card data when it is entered into devices using malware, exploiting vulnerabilities in Apple’s operating system or attempting to compromise the payment system during NFC transmissions likely won’t turn out to be the primary focus for attackers, suspects Neohapsis’ Bob Doyle.
“I think what we will see is attackers shifting from merchant and consumer devices to attacks against payment gateways and payment networks themselves, like we saw in the recent attack on JP Morgan Chase,” he says. “The attack point will shift to banks’ back-end systems.”
These sorts of attacks are likely to more profitable, he believes.
Apple Pay vs. Other Mobile Payment Systems
How does Apple Pay compare to other mobile payment systems? CurrentC has not yet launched so it’s hard to say how secure it will prove to be, although it doesn’t store sensitive information in mobile devices’ secure elements. Instead, credit card data is stored in the cloud and a CurrentC app will generate a QR code that can be scanned to perform a transaction. Google Wallet and Softcard do use the secure element (like Apple Pay), and transactions are protected by a PIN.
A major difference between Apple Pay and Google Wallet comes down to who you are forced to trust, according to Doyle. “With Apple Pay, you trust Apple with the technology and your bank with your credit card information. With Google Wallet you trust your credit card and the technology to Google, so this does introduce a single point of failure that Apple Pay doesn’t have,” he says.
Although the actual transactions are not identical, with Google Wallet creating a virtual credit card while Apple Pay uses tokenization, “they are pretty much parallels (in terms of security),” Doyle adds.
When it comes to emerging payment methods like Apple Pay, perhaps the best way to look at it is not whether they are secure — as nothing is 100 percent secure — but whether using them is more secure than using credit cards. We know that the magnetic strip and signature system of credit cards used in the U.S. is not very secure at all – BI Intelligence estimates that credit card fraud in 2013 in the U.S. amounted to about $7.1 billion, more than half of all global payment card fraud costs.
When more secure credit cards with EMV chips (sometimes known as chip and PIN) become more commonplace in the U.S. in 2015, the rate of fraud is likely to fall. But even after the introduction of more secure credit cards in the U.S., Doyle believes that Apple Pay will prove to be more secure.
“Apple’s system is a clear enhancement over chip and PIN,” he says. “It’s a win for customers, and for retailers that choose to take it -which they really should.”
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.