Executive Perspectives

Apple Pay: A Security Analysis

 Has Apple taken a bite out of hackers’ arsenals? The company is betting on it. Its recent announcement about a new secure payment option has the retail and tech worlds buzzing. If Apple can implement its near-field communication (NFC) payment system correctly, it can absolutely increase security, guarding against the disastrous types of credit breaches that have dominated headlines. Being able to rely on NFC for securely making mobile payments could be a game changer in the current environment of data breaches. But that’s not the only possible outcome. As NFC payments become more popular, it may force new innovation and inspire more creative techniques for credit card payments. Apple is at least the third major player to enter into the NFC payment market, and it now seems increasingly likely that the demise of the antiquated magnetic strip credit card is underway– which also, ultimately, means more a challenge for hackers.

History Lessons

NFC has been around in the mobile payment arena for a while. In September 2011, Google entered into the market with its product Google Wallet. However, its rollout to Android phones and adoption was stifled by the cell phone carriers, resulting in only a small number of phones that could use Google Wallet. The issue stemmed from the fact that the Android phones used something referred to as a Secure Element (SE), which is where the NFC payment system stored the financial data in protected memory.  Due to the use of the SE, wireless carriers requested that the Google Wallet application be blocked. This appeared to be a thinly veiled attempt to give the carriers time to develop their own payment system. In late 2010, Verizon, T-Mobile and AT&T created a joint venture called ISIS Wallet, designed to also do NFC payment systems (the platform has recently rebranded under the name Softcard). However, their rollout was slower than Google’s, only offering a pilot rollout by mid-2012. While this activity between Google, the carriers, and ISIS continued, Apple chose to initially move towards iBeacon. iBeacon is a first step towards proximity-based transmitters based on Bluetooth 4.0, and was believed to be Apple’s initial offering in the wireless point of sale offering. However, the technology never caught on as a payment platform. Both Apple’s and Google’s initial offerings met resistance, though both companies remained undaunted and worked to improve their respective platforms. Google’s engineers have worked around the SE issue by using Host-Based Card Emulation available in Android 4.4. Apple moved off of the iBeacon and moved towards NFC based payments, now called Apple Pay.

How Does Apple Pay Try to Stay Secure?

Technology-wise, the back-end architecture is ready to support this change. Over the past few years, several businesses, including McDonalds, have upgraded their electronic Point of Sale (POS) systems to allow faster payments through touch-less NFC readers. The Apple Pay process works like this: after you launch the payment application on your phone you will tap it on the credit card terminal to make an NFC connection. The device securely connects to the payment system and selects a credit card already stored in the phone. The actual credit card number is not stored in the phone, rather it is stored as a Device Account Number. During the transaction, that number is combined with a secure transaction code, and must be authorized via the fingerprint scanner on the iPhone 6. (On the iPhone 5, a PIN is used for approval.) The SE chip validates the transaction, relaying your authorization to the NFC modem. The transaction information goes to the merchant, who sends it to the acquiring bank, who vouches the information on behalf of the merchant.  That information is then sent from the acquiring bank to the payment processing network.  The payment processor (Visa, MasterCard, etc.) then has means to determine the account information, the credit card being used, and ensure that the transaction security code is valid.  Because the payment processor is accessing the device data, Apple has no record of what credit cards are being used, or how.

Credit Cards are a Target

As the media has covered in depth, hackers have placed a bulls-eye on American retailers. There’s a good reason for that: that’s where the credit cards are. At the end of 2013, there were 1.2 billion debit, credit, and pre-paid cards circulating in America – more than any other region. Other developed countries have migrated to chip-and-PIN technology, whereas the United States relies nearly exclusively on magnetic strip cards, which is much more valuable for hackers because of their ease of use by criminals. Hackers cost global payment-card losses of $11.3 billion in 2012 (including retailers and card issuers), and the U.S. accounted for 47% of that.

Credit Cards - US

So How Secure is Apple Pay?

By nature, NFC payments should be more secure. Unlike a traditional credit card, a new string of numbers is created for each purchase, in lieu of transmitting the user’s card information. This security element makes it extremely difficult for hackers to use a stolen number for any other purposes. In a traditional model, the merchant must accept the credit card information, even if it is encrypted. In doing so, the merchant must accept the liability of holding and processing the credit card number. However, NFC payments make skimming credit card data more difficult using current hacker techniques. Because a card is not swiped during the transaction, there is no way to introduce a skimmer to capture the magnetic credit card data. Additionally, this would also mitigate the threats from memory scraping malware such as BlackPOS or Dexter. It may be possible at some point in the future that a small antennae placed hear the NFC reader might be able to capture the communication between the NFC reader and the device. However, because the hacker would only capture the Device Account Number combined with the transaction code, it is highly unlikely that an eavesdropped communication could be reused malicious purposes. The process should deter hackers looking for credit card data from merchants who only use NFC-based payments because they will only handle the Device Account Number and the secure transaction information – not the credit card number. Even if threat actors are able to access the retailer’s network, the one-time-use-only nature of the information makes it essentially useless for their purposes. And at this point, it is unclear if a retailer will even store such information at all. Of course, we can possibly expect an adoption time where they will use NFC-based payments as well as the traditional magnetic-based credit card data.

What About the Future?  

Moving forward, mobile payment security will rely on three components: user authentication, validation of mobile applications, and third-party payment processers. First is authentication. Apply Pay uses biometrics for authentication. However, this is still an emerging technology as demonstrated when the iPhone 5S Touch ID could be bypassed just two days after launch. While convergence is the key value, it also proves to be one of the key risks that comes with these new forms of finance. While we look at the individual components and the vulnerabilities and risks they bring, we must also look at the process as a whole. Second, we must consider third-party apps and malware that may negatively impact Apple Pay. While Apple may not be opening Apple Pay up to third parties, we have previously observed malware in nearly every mobile environment. In this case, the credit card number may be vulnerable when being entered into the mobile device. The credit card information is entered into the Passbook by taking a picture of the credit card, or by manually typing it in. This is the time the data is most vulnerable, as malware may attempt to capture the image used, or capture the credit card information that has been manually entered. Finally, there are the payment infrastructure services, which typically have strong security considering the volumes of money processed through them. As POS systems move towards NFC payments, there will be fewer magnetic-based card credentials available on merchant networks. It is likely that hackers will not give up their craft, but rather redirect their efforts toward the next weakest link in the chain.

Final Thoughts  

Consumer fraud is a massive market. We must expect those who participate in online consumer fraud to look to this new technology space to maintain their crime revenue streams. Add the popularity of shopping and banking on smart devices, and you clearly see a convergence point for future criminal focus, whether recreating traditional fraud in an evolving environment or identifying new vulnerabilities and opportunities. At the moment, though, it appears Apple Pay and other NFC mobile payment systems in general offers enhanced security against traditional retail credit card breaches. As mobile payments continue to provide convenience and speed, the credit card as we know it will most likely evolve while we as consumers will increasingly rely on virtual wallets, payments, and accounts. As this shift in behavior occurs, we expect criminals to move with the trends and to continue to innovate or be shut out of the market.