Let’s be honest, the digital netherworld has compromised every credit card payment system now in use. Systems using credit cards with magnetic strips have been broken for a long time. To the surprise of some, the POS heir-apparent in the United States, Chip and PIN, has also been exploited. That said, might it be best to bypass Chip and PIN, and focus on technology like the just-released Apple Pay?
Possibly. However, being brand new means untested in the real world. In-house testing and small trial runs are not the same. As proof, consider Apple’s recent recall of iOS update 8.01. So don’t leave the credit cards home just yet.
A game changer
Fortunately, security analysts have already kicked Apple Pay’s tires. Two gentlemen at FireEye, Aaron Cherrington and Greg Day peeked under the hood. The two analysts then published their findings in the report Apple Pay: A Security Analysis. The paper started out upbeat, but it did not take long before the proverbial “if” qualifier surfaced. The authors wrote, “If Apple can implement its Near-Field Communication (NFC) payment system correctly, it can absolutely increase security, guarding against the disastrous types of credit breaches that have dominated headlines.”
The report went on to say using NFC for secure mobile payments could be a game changer, but the authors hedged once again. Cherrington and Day said, “That’s not the only possible outcome. As NFC payments become more popular, it may force new innovation and inspire more creative techniques for credit card payments.” There’s that word “new” again.
How Pay works
Before discussing security, let’s step through what a transaction using Pay looks like.
Step one: Pay is opened on the smartphone.
Step two: The NFC tap connection is made between the NFC POS terminal and the smartphone.
Step three: The NFC POS terminal connects to Pay on the iPhone and selects the card information designated by the buyer. To clarify this point, the authors added, “The actual credit card number is not stored in the phone, rather it is stored as a Device Account Number. During the transaction, that number is combined with a secure transaction code, and must be authorized via the fingerprint scanner on the iPhone 6. (On the iPhone 5, a PIN is used for approval.”
Step four: The Secure Element chip (part of the phone’s NFC hardware) validates the transaction, and the user’s authorization is transmitted to the NFC POS terminal.
Step five: Next, the purchase information moves through the merchant’s system, and forwarded to the acquiring bank.
Step six: The acquiring bank verifies the merchant and places the transaction data on the payment-processing network.
Step seven: The payment processor (Visa, MasterCard, etc.) matches the transaction data (purchase information and Device Account Number) to the buyer’s credit card account.
Step eight: The purchase is processed, and a verification transmitted back through the system to the POS device.
Apple Pay’s built-in security
Put simply, using NFC and a different credit payment methodology made the entire process more secure. The differences are:
● No credit card information is exchanged.
● Each purchase requires a new transaction number. The report explained, “Unlike a traditional credit card, a new string of numbers is created for each purchase, in lieu of transmitting the user’s card information.”
Apple Pay and potential security issues
The report was optimistic, yet the authors also wanted to address what they see as potential security issues:
● User authentication: Apple Pay uses biometrics, a logical choice. Yet, it took just two days for attackers to bypass TouchID used on the iPhone 5.
● Validation of mobile application: Cherrington and Day consider entering the user’s credit card information into Passbook, by taking a picture or typing, to be a weak link. Malware installed on the iPhone could capture the data and send the information to remote servers under the attacker’s control.
● Payment infrastructure services: The authors felt this part offered strong security, considering the volume of transactions processed each day. However, history has shown processors have been attacked. What happens when the bad guys get the data base containing user credit-card information and the Device Account Number?
A few questions
I had a chance to ask author Aaron Cherrington a few questions via email:
TechRepublic: What happens when a Pay-enabled iPhone is stolen?
Cherrington: Based on Apple’s public statements, there appear to be multiple levels of security for a lost phone. First, the credit card number is not stored in the device, rather it is stored as a Device Account Number, which would mean that a virtual representation of the credit card is stored in the mobile device, not the actual credit card number.
Second, the Device Account Number is stored in the Secure Element, which is a protected and encrypted portion of the mobile device; data recovery from this area would be extremely difficult if data storage in the secure element is implemented correctly.
Third, Apple has introduced two new functions for the iPhone in case the phone is lost. Lost Mode is used by the owner to remotely place the phone into a mode where the data is inaccessible. Additionally, they have created a second function where the iPhone can be remotely wiped, and all owner content is removed.
TechRepublic: What do you consider to be Apple Pay’s major strength?
Cherrington: Apple Pay and other NFC payment systems greatest strength are improving the user experience while, at the same time, improving security. In the past, vendors either increased security or improved the user experience, but not both.
Cherrington and Day appear to be encouraged by Apple Pay. They said, “It is likely that hackers will not give up their craft, but rather redirect their efforts toward the next weakest link in the chain.”