Is the dawn of the age of ubiquitous e-payments finally here? Can we throw away our credit cards yet?
I wish! If you read my column regularly, you know that payment systems are a particular interest of mine. I’ve been holding out hope for a few years now that big improvements were just around the corner.
I’m a security-conscious guy, but my credit card accounts have been compromised three times in just the past couple of years. I try to be careful in how I use my cards, but the fact is that I have to use them a lot, all over the world. Given those circumstances, there doesn’t seem to be any way currently to ensure safety. Heck, the most recent compromise was of my fancy-pants EMV (Europay MasterCard Visa) card —the kind with a smart chip on it that is supposed to make it much more difficult for attackers to steal data. EMV is certainly not perfect, especially when the merchant processes it like any other credit card. That’s just what happened on a recent trip to Asia, where two merchants ran my EMV card’s magstripe through their payment terminals. Sure enough, bad things happened.
Despite the shortcomings of EMV, I’ll be glad when it’s widely adopted in the U.S. It’s coming, but slowly. Nonetheless, it’s not going to solve all of our problems.
Happily, some other developments are helping.
Payment data can be compromised at retailers both big and small, but the nature of the compromise is very different depending on the merchant’s size. With small-scale retailers, the threat is that someone, probably an insider, will simply snatch the relevant data (credit card numbers, for example). That affects one customer at a time. The high-profile compromises, of course, hit large-scale retailers like Home Depot and Target, where cyberthieves are able to access millions of accounts all at once. These attacks have succeeded by compromising firmware on payment terminals directly, thereby snagging account data during the payment process.
In both cases, the way to keep data safe is to keep it from prying eyes. For small retailers, this goal has been furthered by companies like Square, which have put credit card payments into the hands of even the smallest of merchants while paying attention to security. When a merchant uses a Square reader, it never sees the customer’s credit card account number and keeps no record of it. The payment is processed by Square, , which probably helped Square achieve compliance with PCI-DSS (the Payment Card Industry Data Security Standards).
Of course, Square and its competitors don’t serve big merchants, the ones whose data breaches make the headlines. But a similar idea — don’t let the merchant ever even see the credit card data — could help there as well. And Apple just might be giving us a glimpse of how this could work.
To some people, the announcement of Apple Pay was underwhelming. Bringing NFC (Near Field Communications) capabilities to the iPhone platform, enabling cardless payments, doesn’t seem earth shattering. After all, some Android devices have used NFC for a couple of years already.
But some of what Tim Cook said during the iPhone 6 announcement made me pay particular attention. If it was technically accurate, Apple Pay is reason to be cautiously optimistic that we have a new way forward to better security. Consider the following things about Apple Pay:
- Credit card account information is stored on the phone in a secure element, making the account information inaccessible directly to application software.
- Merchants are not given an account number directly, but rather a one-time usage code with which they can complete a transaction.
- Payments are authorized via fingerprint scans rather than a signature or PIN.
This trifecta of technical features could well accomplish the objective of keeping the real account data away from our adversaries.
In addition, with iOS 8, Apple claims to have stepped up personal privacy. Indeed, it says it can’t decrypt encrypted data stored on an Apple device, even if presented with a lawful subpoena.
Though the details are not entirely clear yet, the preliminary indications are that Apple has come up with a pretty slick architecture. Of course, the scrutiny that will come with actual use of the new iPhones could change the perception, and it wouldn’t surprise me in the least if someone were to find a problem or two.
Nonetheless, it seems as though we might finally be looking at a consumer-friendly payment system that keeps our accounts from being compromised by unscrupulous vermin.
And of course, for a system like this to succeed, merchants need to adopt it. Apple’s legendary marketing muscle could make all the difference. Already, several very large merchants, including Macy’s, have announced that they’ll be Apple Pay early adopters.
I’m looking forward to giving my own i6 Plus a run for its money. I’m hoping it can keep the bad guys from giving me a run for my money.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.