A Thing
The Green SheetGreen Sheet

Tuesday, October 7, 2014

Is Apple Pay secure enough?

It seems nearly unanimous that the payments industry is behind Apple Inc.'s mobile payments platform, Apple Pay. That confidence largely rests on the security apparatus Apple erects around mobile payments conducted with the newly launched Apple 6, Apple 6 Plus and the first generation Apple Watch. But is that confidence warranted? Matanda Doss, ‎Chief Executive Officer at gateway operator 5th Dimension Logistics LLC, is not so sure.

Doss told The Green Sheet that Apple Pay's combination of near field communication (NFC) technology, transaction tokenization procedures, data storage on the secure element embedded in mobile devices, and Touch ID biometric authentication makes for a secure system, but only up to a point. Doss said no security system is infallible and that when the cornerstone of Apple Pay involves highly sensitive and personal fingerprint data, the price of user convenience may be too high.

"The reason hackers hack is for the value of the information that they can collect," Doss said. "Credit cards are hacked a lot more than library cards because of the resale value. And so at the point that you start digitizing your biometrics, they become something very valuable in terms of hacking. And you'll see lots of energy spent on trying to get that digitized information."

Touch ID vulnerability

Doss pointed out that Touch ID on the iPhone 6 has already proven to be hackable. The brute-force method shown in a YouTube video involves confusing the software through use of a fake fingerprint on the sensor but hardly seems like a practical way for fraudsters to steal data. And yet, when biometric data is involved, the stakes are raised substantially.

"If I stole your credit card today, you would make a call and that card would be invalidated going forward forever," Doss said. "That's not true with your biometric data. If I get ahold of your fingerprint, who are you going to call? And how are you going to stop that from being used a year from now or five years from now as biometrics become more and more pervasive in the market?"

Stolen biometric data could be used not only to drain bank accounts but to forge passports in high-powered identity theft schemes. "Creating a fake ID, a fake passport, and crossing a border, all of a sudden now you have a biometric match with a counterfeit passport ID and you're moving across borders unbeknownst to our government," Doss said. "So that's the scary part."

Doss noted that the security on Apple devices is greater than on rival Android devices and that Apple's closed ecosystem makes it harder for fraudsters to infiltrate Apple's marketplace with malware. However, Doss still questions whether Apple's security is enough to ultimately protect biometric data.

"How successful have hackers been in getting into desktop computers with malware, viruses and things like that?" Doss said. "Your phone is no different. As a fact, my phone is my computer most of the time.

"And so that information being stored on the device is just as fertile ground for hacking as your home PC of your work PC. And it's just a matter of time before someone puts their mind to it to put some sort of virus or malware on a phone that then would start pulling that data and sending it places that you don't want it to go."

Cart before the horse?

Doss believes that Apple may have leapt too soon into biometric-based payments authentication. The tech giant might have been under shareholder pressure to reclaim the mantle of innovation that has slipped from Apple in recent years, according to Doss.

"I think it's a calculated risk by them," Doss said. "Android and Google have done a good job of pushing the envelope. And for someone who used to be a leader, Apple finds itself sometimes playing catch-up."

Every September, Apple releases new hardware and software, and to great fanfare. But the downside to this timetable is that it may have put the proverbial cart before the horse when it comes to biometric authentication.

"I think that very well could be," Doss said. "You don't see Android going there yet. And the question is why. They certainly have the capability. They had NFC before Apple did. And you just haven't seen Android go in that direction and they're better than 50 percent of the mobile market. So why haven't they gone there?"

Exploiting that moment in time

As the CEO of a payment gateway that focuses on security and fraud prevention, Doss understands the fraudsters' mindset and how they search networks and systems for "a moment in time where there's a point of exposure – that's what hackers would be looking to exploit."

In the case of Apple Pay, Doss can think of multiple scenarios hackers will try, if they haven't already. One attack would involve malware that would "skim" the biometric data when Touch ID is activated. Another attack vector could focus on that miniscule amount of time before Touch ID encrypts data, if such a moment exists.

"The moment you touch your phone with your fingerprint, what if they are stealing the information before it is ever encrypted?" Doss said. "What if they were stealing information just as it is being entered into the phone before it hits the encrypted chip [embedded in the phone]?"

Doss compared such an attack to the security weakness exposed in Square Inc.'s dongle-based card reader. "[The data] wasn't encrypted going through the audio jack," he said. Square subsequently fixed the problem. "The way they solved the problem was to encrypt at the magnetic head before it ever went through the audio jack," Doss noted, and added an eyebrow-raising caveat: "You can't encrypt at the head when you're doing a Touch ID [transaction]."

Doss said 5th Dimension will offer Apple Pay functionality. However, he will not personally conduct mobile, contactless, in-store transactions using Apple Pay because he realizes his biometric data would be irretrievable if it were ever stolen. "I use Touch ID on my phone to access my phone," he said. "But going into the NFC payment world with it is not something I want to do." end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing