News Stay informed about the latest enterprise technology news and product updates.

Apple Pay security: Hope abounds, but questions linger

Security controls integrated into the new Apple Pay mobile payment system could strengthen the payment security ecosystem, but unanswered questions remain, like the ramifications of a lost iPhone.

The looming launch of Apple Pay and its promise of secure payments "in a single touch" is the latest attempt to use emerging technology to remake a U.S. retail payment infrastructure fraught with gapping security holes that have led to a series of massive breaches.

Despite Apple Inc.'s recent iCloud security compromise involving hacked celebrity photos and video, Apple appears poised to assume a leadership position in the emerging U.S. mobile payments market, even though security analysts and industry groups are already struggling to lock down a transaction ecosystem plagued by flaws at the point of sale.

The Apple Pay software enables payment card data to be transmitted from an iPhone to a payment terminal wirelessly via near-field communications (NFC). Though details remain unclear, according to Securosis analyst Adrian Lane, Apple Pay will not actually store payment data on the iPhone, but instead will rely on payment tokens to represent payment card data, providing a level of security abstraction.

Apple is leveraging a chip-based security feature widely used on NFC-based networks in Europe called EMV (for Europay, Mastercard and Visa). Backers of the technology claim it could help reduce point-of-sale hacks that have plagued retailers like Target and Home Depot.

So far, Apple has lined up a decent list of retailers that will support Apple Pay, including McDonalds, Macy's and Whole Foods, along with the industry's biggest card brands: American Express, Mastercard and Visa.

But other large retailers have reportedly resisted Apple Pay, including Wal-Mart. The world's largest retailer -- along with Best Buy, Target and lengthy roster of U.S. merchants -- is instead backing a retailer-owned Merchant Customer Exchange. The group claims its "CurrentC" mobile wallet app can be used at more than 110,000 locations.

Apple Pay: Hope for secure mobile payments?

While many note that the Apple Pay scheme is still too new to draw firm conclusions about transaction security -- Apple Pay won't be available until October -- security experts believe it has a better chance of succeeding than previous attempts by device makers to launch wallet services.

A key security concern is the inherent risk of transforming a consumer device, the iPhone 6, into a payment mechanism that not only stores a payment token, but also serves as the authentication platform via Apple's proprietary Touch ID fingerprint authentication feature.

The new phone's NFC antenna is said to allow users to make purchases by holding the phone near a contact-less reader with a finger on the Touch ID button. Touch ID then verifies purchases. It is believed the iOS app Passbook will store the token-based payment information.

Jonathan Cassell, a consumer electronics industry analyst with market researcher IHS Inc. in Englewood, Colo., noted Apple's penchant for "tight software and hardware integration," along with vast retail experience with iTunes, has allowed the company to amass millions of payment card data records via Apple ID, "which users can choose to simply add to Apple Pay."

Will lost iPhones threaten Apple Pay security?

Others are less sanguine, noting that Apple and other device makers still don't have a convincing answer for the most obvious security issue: What happens if a user loses his or her phone?

Apple said this week consumers could use iCloud's "Find My iPhone" feature to disable Apple Pay remotely. Apple CEO Tim Cook also stressed no payment information would be stored on iPhones or company servers. Observers said the new iPhone likely contains a token used for payments, but not a payment key that hackers could exploit.

Nevertheless, some security experts worry that even if Apple is acting merely as a conduit between retailers and credit card companies, the device itself may be Apple Pay's weakest security link.

"I think there are risks," said security specialist Dave Shackleford, principal consultant at Voodoo Security LLC in Atlanta, explaining that it's a step in the wrong direction to lower protections to the point where being able to answer an Apple ID security question is all that may be needed to compromise payment data.

Still, the iPhone has proven more resistant to viruses and hacks than Android phones, and Shackleford said Apple has demonstrated the ability to perform adequate security testing before releasing new consumer products. Apple Pay, he predicted, is "not going to be riddled with [security] holes coming out of the gate."

Apple Pay: Obscuring data a good step

Meanwhile, industry groups like the FIDO Alliance are embracing the efforts of Apple and other payment ecosystems in allowing customers to strongly authenticate in a simple and secure fashion.

Phillip Dunkelberger, CEO of Palo Alto, Calif.-based authentication vendor Nok Nok Labs Inc., a founding member of FIDO, called Apple Pay "definitely a step up from current credit card security."

While Dunkelberger and other security experts stressed that Apple has released few specifics on how its authentication scheme will be implemented, he said Apple Pay's ability to "obscure" users' identities and payment data was a "step in the right direction."

Apple said it wants to expand its payment scheme overseas as quickly as possible. That will be a challenge considering differing technology standards (iPhones are not as ubiquitous in Europe as they are in the U.S.) and regulatory regimes. Some of those hurdles could be overcome by the fact that Apple avoided proprietary security technology and is relying instead on industry standard technologies like NFC.

Apple Pay is "not a panacea, it is one part of a larger payment ecosystem," Dunkelberger stressed. "The devil is in the [implementation] details, the devil is in the ease-of-use details."

Apple Pay will be available in October as an update to its iOS 8, which is scheduled to debut Sept. 17.

Next Steps

Learn what to do to prep for iPhone 6 and iOS 8 in the enterprise.

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I'm excited about the prospect of Apple Pay, the security sounds better than other solutions in the past. The obscuring of payment data, and the fact that you have to use a fingerprint to use Apple pay make me feel secure enough to want to use this.
Apple Pay seems to be the first real solution to a more secure form of electronic transaction. I stress the word "seems", since I see the following limitations - It is not yet out for consumers to use, only new Apple products like iPhone6, iPhone6Plus & iWatch users can use it (hence initially a very small group of actual users), not vetted by Consumers, etc. Many, including myself, will take a "Wait and watch" approach to using it. So it will be a while before it is considered a "Norm". While Apple may have truly broken the ice on this new possibility, it will have to make Apple Pay accessible through hardware not made by Apple too (web, other brand Smartphones, older iPhones, etc.). While I am optimistic about the success & larger pool of consumers, I am not yet ready to place my bets.
There is a paragraph in this article, "Apple is leveraging a chip-based security feature widely used on NFC-based networks in Europe called EMV (for Europay, Mastercard and Visa). Backers of the technology claim it could help reduce point-of-sale hacks that have plagued retailers like Target and Home Depot." EMV cards would not have prevented HD or Target style attacks since in EMV payment information is available on the POS device, and therefore is available for cloning and replay. What is a true EMV benefit is that the EMV raises the barrier for successful cloning of physical cards (cloning the chip as well as magnetic stripe) harvested from POS devices. The tokenization which Apple Pay is supposedly employing isolated practically POS and makes payment information useless for cloning/replay. As EMV experience shows the harvested from POS EMV card numberss are being increasingly used to defraud "card not present" merchants, i.e., online. Apple Pay, if implementing tokenization properly, can solve this problem as well.