Apple just promised to revolutionise how we spend money. More specifically, the company announced Apple Pay, a new mobile payments platform that lets you buy things with your iPhone (or smartwatch). Sounds cool! But given recent high-profile security lapses, it’s fair to wonder: Is it safe?
Obviously, Apple thinks so. In announcing Apple Pay, chief executive Tim Cook said that it solved the gaping security holes in our existing transaction system. “We’re totally reliant on the exposed numbers and the outdated and vulnerable magnetic-stripe,” he said. He’s not wrong, though mobile payment alternatives have existed for years. And the system that Cook went on to describe sounds great. The problem is that — like most mobile payments that came before it — Apple Pay still relies on underlying technology that’s far from secure.
Apple’s approach is a little bit different than mobile payment systems you may already know. To pay for something, you wave your iPhone or Apple Watch in front of a beacon, and encrypted data is transferred using near field communication (NFC). Competing platforms like Square and Google Wallet work like this, too, but Apple Pay differentiates itself by not using actual credit card numbers in transactions, and by storing the most sensitive financial data on a special, extra-secure partition of the iPhone’s storage called Secure Element.
Apple Pay gives you the option to verify the transaction using Touch ID — your fingerprint — which is arguably the most secure way to ensure that the iPhone’s owner is the one doing the spending. The buyer can also enter a PIN.
The two-step process is similar to the chip-and-pin system used in Europe that the U.S. has been waiting for for years. The chip in those “smart” cards stores encrypted financial data, and it’s transferred to the seller using a secure device.
The whole Apple Pay process is also streamlined, so that you never need to take out your wallet or — with newer iPhones, at least — type in a PIN. Secure Element supposedly keeps hackers from accessing your private financial data, and your credit card information is not stored on Apple’s servers. Apple doesn’t even know what you’re spending your money on.
Put simply, the heavy encryption used to transmit this information and the lack of financial data on servers that can be hacked are supposed to make Apple Pay even more secure.
Lastly, the physical device itself isn’t necessarily a liability. If you lose your iPhone, you can disable Apple Pay remotely using Find My iPhone. And of course, if your phone uses Touch ID to verify transactions, you don’t really need to worry about a thief using it buy stuff. It all sounds very neat and appealing!
I want to believe Apple when it says its digital wallet is secure, but a sad truth remains that hackers are going to hack. And given the recent breach that exposed celebrities’ naked photos on Apple devices, it’s clear that Apple Pay will be a popular target.
Again, it sounds like Apple did a good job designing a system that keeps your financial data out of hackers’ reach. Removing credit card numbers from the transaction is a really good idea. Heck, even the phrase “Secure Element” instills confidence. But as security experts from Kaspersky Labs told me, there are still a number of problems with Apple Pay that are immediately apparent.
First of all, several of the gates between a hacker and the phone owner’s financial information can be broken down. Apple Pay is connected to iTunes accounts which we already know have vulnerabilities. It’s also been proven that Touch ID is hackable. And despite Find My iPhone protection, the phone itself can still be a risk. “The bad scenario is when the device is stolen or jail broken,” Kaspersky’s Dmitry Bestuzhev told me. “Under certain circumstances and specific parameters [the device] can be broken too.”
The most worrisome point of vulnerability in an Apple Pay transaction, however, is the NFC transmission itself. Bestuzhev said that NFC transmissions are just like any other data transfer. “It sends and receives information which can be intercepted, he said.
This has been proven. A couple of years ago a former NSA analyst turned white hat hacker found a couple of really serious vulnerabilities in the NFC system. At the Black Hat conference, he demonstrated to a live audience how he could hijack an NFC-enabled device by simply waving a tag with an embedded NFC chip inside of it. The same kind of tag could also be used to send someone’s browser to a URL address, perhaps one that downloads malware onto the phone.
These aren’t problems specific to Apple Pay; you run the same risk with Google Wallet, Softcard, or any other mobile payment plan that relies on NFC. And while Apple has taken some steps to protect against that — including assigning unique codes to every transaction — there’s only so much you can do when the fundamental technology is vulnerable.
At this point, the most troubling element of Apple’s entry into the mobile payments market is what we don’t know. The company hasn’t revealed everything about what happens during these transactions, so it will take some time before we truly know how secure it is. You can bet that hackers will be looking for holes during that time, too.
Even Apple’s Pay’s use of unique codes could fall short of being a failsafe. “If criminals get to the unique numbers used in the iPhone secure element they might be able to initiate some fake transactions,” Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky, said. “But that will come down to implementation details not available at this time.”
How would they get those numbers in the first place? Well, just as ATM skimmers help crooks suck money out of people’s bank accounts by intercepting credit card numbers, NFC skimmers could snatch the unique Apple Pay codes. And because the system will be so widespread, you can bet a lot of hackers will by trying out different methods. “An NFC skimmer is as real as a classic ATM one,” Bestuzhev told me. “In the end it’s about traffic interception which was done for other standards/protocols too.”
Exploiting NFC isn’t common yet, as far as we know. But it’s certainly possible, and with millions of Apple customers suddenly rushing to pay with their phones, it’s going to be an increasingly clear target. That, combined with a spotty recent security record, should be enough to at least give you pause.
So Stick to Cash?
Here’s the sobering truth: Hackers and thieves want to steal your money, and they’re great at coming up with creative ways to do it. Indeed, Apple Pay does look more secure than most of the other options available to you now. But as the Kaspersky experts make very clear, where data’s being transferred, there’s always the risk that it can be intercepted and exploited.
It’s also not like your credit card is that much safer; until the US adopts the new chip and pin system, more traditional payment methods are just as scary as — if not more than — wireless.
Want to use a payment method that hackers can’t intercept? Try paper money. It’s hardly secure, but it’s got its perks. Put another way, it’s as secure as the tightness of your grip on a dollar bill, when someone’s trying to yank it out of your hand.