In mid October, Apple rolled out its iOS 8.1 update for iPhone, iPad and iPod Touch. Although the release contained mostly minor fixes and tweaks – e.g., reverting the default “Recently Added” photos album to its better known “Camera Roll” name – there was one big change: the introduction of Apple Pay as an addition to the stock Passbook app.
As its name suggests, Apple Pay is a way to pay for good and services via Apple devices. The most straightforward channels for Apple Pay are the iPhone 6 and iPhone 6 Plus, both of which come with NFC chips that enable interaction with thousands of existing point-of-sale terminals. At the same time, Apple Pay is integrated as a service into apps such as Lyft that can use an Apple account holder’s card on file to pay for purchases.
There have been similar solutions, such as Google Wallet, for NFC-enabled Android phones in the past, but the fragmentation of the Android ecosystem, along with resistance from carriers, stalled any momentum it may have had. Plus, as Trend Micro’s Warren Tsai noted, consumers never seemed to trust the security of Google Wallet. Apple Pay could herald the entry of NFC, a hyped but so far underutilized technology, and mobile payments into the mainstream at a time when payment cards are already rapidly changing.
In many ways, paying with a phone is no more convenient than paying with a magnetic strip card. The purchaser still has to present something to the cashier. There are also the potential issues of battery life and software glitches that accompany any mobile device. However, the current uptake of Apple Pay, with its tokenization technology, and the impending arrival of the Europay, MasterCard and Visa in the U.S., there may be real benefits to cybersecurity.
Apple Pay in the context of recent retail breaches
While Apple Pay has many possible applications, its acceptance at premier retailers is front and center to its appeal. If any industry could use a boost to its security reputation and image, it would be retail, which has been hit with multiple high-profile breaches over the past year, from Target to Home Depot.
These incidents between them have compromised hundreds of millions of payment cards and sewn trepidation among consumers. Forty-five percent of respondents to a recent CreditCards.com survey reported that they would be less likely to use credit and debit cards at breached stores this holiday season.
So how could Apple Pay help? For starters, it’s much newer technology than magnetic strips, which are old enough to have been used in some of the earliest ATMs from the 1960s. It’s also technically simpler, at least in how it handles transactions.
A typical card swipe at a coffee shop like Starbucks or a restaurant like McDonalds requires card data to be bounced between the merchant, the payments processor and the bank. The process is usually secure, but with so many moving parts, the complexity alone is an issue, as it is for any security system.
Rather than relay all of the card information through the network, Apple Pay sends a unique token and security code. Card details are stored in a dedicated chip on the device. This arrangement offers the benefit of concealing the data from anyone except the processor and the bank – the retailer is out of the loop. As a result, there is less risk of privacy intrusions, such as the time Target used payment card transaction histories to accurately predict that a woman was pregnant.
Overall, Apple Pay is a lot different under the hood than the current payment system as well as competitors like Google Wallet and the carrier-sponsored SoftCard. Can it make retail safer and curb the recent spike in breaches?
Tradeoffs of Apple Pay: Are there any security risks?
As we mentioned above, there are a few convenience tradeoffs when moving between a card and a phone, such as increased reliance on short-life batteries and connectivity when making transaction. Overall, though, Apple Pay seems technically sound. The issue may instead be with the amount of pressure that cybercriminals may put upon it and how they use it in scams.
Apple Pay will undoubtedly be a prime target, given the type of information it deals with. iOS device owners should take more precautions than ever to protect their phones and use features such as screen lock and remote wipe. They should also be wary of the broad range of tactics that attackers use to try and infiltrate the operating system.
Trend Micro profiled some of these risks recently in its “Poisoned Apples” document. For example, iCloud wasn’t really “hacked” so much as it was penetrated using logins scraped from phishing sites. There may be attempts at harvesting information from Passbook or getting consumers to enter card numbers on websites.
Beyond Apple Pay itself, there’s the risk of many different and incompatible payment technologies becoming mainstream. Though it works on standard NFC technology, Apple Pay is already distinct from Google Wallet et al. Just as developers in the 1990s had to jump through hoops to create software that would run for both Windows and Mac OS, merchants may find themselves having to keep up with a range of payment techniques. EMV cards are set to become more prevalent in 2015 and now there’s the nascent mobile payments ecosystem.
“Being that this is Apple, everything will be closed off,” Armando Orozco, senior analyst at Malwarebytes, told CIO. “As other vendors adopt similar technology, merchants will have to continually adopt the new technologies in order to support the different methods. The more variables you add to the software, the more potential for mistakes.”
It’s still the early days for Apple Pay and for mobile payments in general, many of which have so far been limited to simple code scanners like the Starbucks and Dunkin Donuts mobile apps. Paying for everyday goods could soon become a lot more complex, though, and consumers and organizations alike will need to be prepared with comprehensive network security.
