The Green Sheet Online Edition
October 27, 2014 • Issue 14:10:02
Is Apple Pay secure enough?
It seems the payments industry is behind Apple Inc.'s mobile payment platform, Apple Pay. That confidence largely rests on the security Apple provides for mobile payments conducted with the Apple 6, Apple 6 Plus iPhones and the first generation Apple Watch. But is that confidence warranted? Matanda Doss, Chief Executive Officer at gateway operator 5th Dimension Logistics LLC, is not so sure.
Doss told The Green Sheet that Apple Pay's combination of near field communication (NFC) technology, transaction tokenization procedures, data storage on the secure element embedded in mobile devices, and Touch ID biometric authentication makes for a secure system, but only up to a point.
"The reason hackers hack is for the value of the information that they can collect," Doss said. "Credit cards are hacked a lot more than library cards because of the resale value. And so at the point that you start digitizing your biometrics, they become something very valuable in terms of hacking. And you'll see lots of energy spent on trying to get that digitized information."
Touch ID vulnerability
Doss pointed out that Touch ID on the iPhone 6 has already proven to be hackable. The brute-force method shown in a YouTube video involves confusing the software through use of a fake fingerprint on the sensor and hardly seems like a practical way for fraudsters to steal data. And yet, when biometric data is involved, the stakes are raised substantially.
"If I stole your credit card today, you would make a call and that card would be invalidated going forward forever," Doss said. "That's not true with your biometric data. If I get ahold of your fingerprint, who are you going to call? And how are you going to stop that from being used a year from now or five years from now as biometrics become more and more pervasive in the market?"
Stolen biometric data could be used not only to drain bank accounts but to forge passports in high-powered identity theft schemes. "Creating a fake ID, a fake passport, and crossing a border, all of a sudden now you have a biometric match with a counterfeit passport ID and you're moving across borders unbeknownst to our government," Doss said. "So that's the scary part."
Doss noted that the security on Apple devices is greater than on rival Android devices and that Apple's closed ecosystem makes it harder for fraudsters to infiltrate Apple's marketplace with malware. However, Doss still questions whether Apple's security is enough to ultimately protect biometric data.
"How successful have hackers been in getting into desktop computers with malware, viruses and things like that?" Doss said. "Your phone is no different. As a fact, my phone is my computer most of the time.
"And so that information being stored on the device is just as fertile ground for hacking as your home PC or your work PC. And it's just a matter of time before someone puts their mind to it to put some sort of virus or malware on a phone that then would start pulling that data and sending it places that you don't want it to go."
Cart before the horse?
Doss believes Apple may have leapt too soon into biometric-based payments authentication. The tech giant might have been under shareholder pressure to reclaim the mantle of innovation that has slipped from Apple in recent years, according to Doss.
"I think it's a calculated risk by them," Doss said. "Android and Google have done a good job of pushing the envelope. And for someone who used to be a leader, Apple finds itself sometimes playing catch-up."
Every September, Apple releases new hardware and software, and to great fanfare. But the downside to this timetable is that it may have put the proverbial cart before the horse when it comes to biometric authentication.
"You don't see Android going there yet," Doss said. "And the question is why. They certainly have the capability. They had NFC before Apple did. And you just haven't seen Android go in that direction and they're better than 50 percent of the mobile market."
Exploiting that moment in time
As the CEO of a payment gateway that focuses on security and fraud prevention, Doss understands the fraudsters' mindset. In the case of Apple Pay, he can think of multiple scenarios hackers will try. One attack would involve malware that would "skim" the biometric data when Touch ID is activated. Another attack vector could focus on that miniscule amount of time before Touch ID encrypts data, if such a moment exists.
Doss compared such an attack to the security weakness exposed in Square Inc.'s dongle-based card reader. "[The data] wasn't encrypted going through the audio jack," he said. Square subsequently fixed the problem. "The way they solved the problem was to encrypt at the magnetic head before it ever went through the audio jack," Doss noted, and added an eyebrow-raising caveat: "You can't encrypt at the head when you're doing a Touch ID [transaction]."
Doss said 5th Dimension will offer Apple Pay functionality. However, he will not personally conduct mobile, contactless, in-store transactions using Apple Pay because he realizes his biometric data would be irretrievable if it were ever stolen.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.