Apple Pay: Introducing (Secure) Mobile Payments?
One of the biggest announced features of the newly released iPhone 6 and 6 Plus is Apple Pay. This is Apple’s attempt to popularize mobile payments, which have been around in some form for years. For example, Google Wallet has been around since 2011. NFC (Near Field Communication) contactless payments have been around in some form for more than a decade:
Figure 1. MasterCard contactless payment terminal
However, Google’s efforts have not met with much acceptance from consumers. The end users do not believe that these ecosystems are secure and private, and neither are they always easy to use. A 2013 survey of smartphone users indicated that security was the biggest concern surrounding mobile payments.
So, Apple has a big opportunity to make mobile payments mainstream if they get Apple Pay right. Apple entering any new market is always significant, as their brand allows them to gain a foothold both in the market and in the minds of consumers.
At the iPhone/Apple Watch launch event, the broad outlines of how Apple Pay would work was demonstrated. NFC in combination with Touch ID would be used to create a secure and easy to use mobile payment system.
The critical information in the credit/debit card such as card number, the expiration date, and the security code are all stored in the iOS Passbook. This information is tokenized, encrypted, and stored in a dedicated chip called the Secure Element.
Figure 2. Elements of Apple Pay
During transactions, only the tokenized information and a dynamic transaction code is transferred between the Secure Element and the merchant’s payment terminal (via NFC). Apple made clear that they do not see the actual transactions, going as far as saying:
Apple doesn’t know what you bought, where you bought it and how much you paid for it. The transaction is between you, the merchant and your bank.
In theory, this should address concerns about privacy. In addition, this design reduces the risks of a lost device. If the iOS device is lost, there is no need for any associated credit cards to be cancelled: the user can just remotely disable mobile payments via Find My iPhone.
What about the broader ecosystem? Mobile payment systems by other vendors (like Google Wallet) have faced resistance from telecom providers, who have their own systems they’d like to promote.
Instead, Apple bypassed them and worked directly with the credit card networks as well as the banks. Many high-profile US stores have already signed onto Apple Pay and will roll it out to their stores. Online stores and mobile apps will also include support for Apple Pay.
Figure 3. Merchants that are part of Apple Pay rollout
All this may make Apple Pay a significant player in mobile commerce. However, success would also attract cybercriminals! Yes, Apple Pay appears to be secure, and had it been in place, POS attacks like those that hit Home Depot recently wouldn’t be as severe.
However, until Apple Pay is fully rolled out we cannot fully say whether it is secure or not. Every aspect of the Apple Pay ecosystem – the device, the payment process, Passbook, and NFC – all these will be carefully scrutinized by attackers trying to breach them. In addition, the existence of Apple Pay itself will trigger attacks that use it as social engineering bait.
Threats to Apple Pay aren’t the only ones that Apple users may encounter. Phishing attacks, data breaches, and even jailbreaking are some of the incidents that may put the security of Apple devices severely at risk. For information on these threats and suggested countermeasures, you may read our Monthly Mobile Report, “Poisoned Apples: A Look into Recent Threats That Affected iOS Users“