You’re only as secure as your weakest link. That bit of wisdom has hit home for Apple Pay of late. Fraudsters have wasted no time finding and exploiting the mobile payment system’s weak link to their advantage.
The weak link is not in the transaction side of things. That part, as I’ve described, still appears to be quite solid, thanks to Apple having taken heed of a myriad of security architectural principles, like keeping the actual credit card account number out of the view of merchants.
What the fraudsters have gone after is the process of installing a credit card into an Apple Pay-equipped iOS device. And that part of the process is implemented by the issuing banks, not by Apple.
In order to use Apple Pay, the user (or the fraudster, it turns out) must enter pertinent information about her credit or debit cards. In addition to the static card information from the user, Apple provides the issuing bank with some low-level information on the user, such as the device’s name and location. But when a fraudster gets the card information in conjunction with a hijacked Apple iTunes account, all of that information too can be spoofed, thereby allowing fraudsters to enter their victims’credit card data into an iOS device.
Once the credit card data is entered and accepted (by the banks) into Apple Pay, it becomes as powerful to the fraudster as a physical card. It can even then be used at any of the brick-and-mortar companies that accept Apple Pay because they will think the fraudster has possession of the card. This is a game-changer for the fraudsters and gives them more opportunities than they were previously accustomed to.
See why is this a big deal? Previously, with most stolen credit card account data, fraudsters were largely limited to online transactions and other “card not present”forms of payment. Yeah, they could generate fake physical cards, but that upped the price of attack as well as the likelihood of getting caught.
I’ve used my iPhone 6’s Apple Pay feature dozens of times at merchants where it’s accepted, both in-store and online. I’ve loved the ease of use and the relative safety of my transactions. But that darned weakest link is still a problem for Apple and its credit card bank partners.
When installing several of my credit and debit cards on my iPhone, I noticed immediately that there were subtle but important differences among the cards I use from various banks. For example, I could register some cards by simply entering the information on my cards, while others required a callback to my home phone (presumably using the number known to my banks) to provide me out-of-band a random number to enter in the process.
Banks haven’t been talking about this publicly, so there’s no way to know which banks’ cards have had problems. But you just have to go back to the idea about the weakest link. I have to suspect that it’s largely the ones whose card installation processes have weaker identification and authentication procedures that have had the most trouble. And that’s easily fixable. Since implementation procedures are up to the banks, I expect that more of them will adopt stronger authentication processes before long.
All in all, I’m still optimistic about Apple Pay’s security. I’ll still choose it over mag-strip plastic. During the recent spate of compromised Starbucks accounts, I was cautiously optimistic that my account wouldn’t be among those affected. Why? Because I use Apple Pay for reloading my Starbucks card, via the service that Starbucks recently added to its iPhone app. Turning on that feature in my Starbucks app keeps my credit card account data off of Starbucks’s back-end servers, so I’m confident I won’t be among the victims of these attacks.
Further, the banks themselves are confident that the tokenization architecture that Apple Pay uses is indeed a strong link in the chain. That piece of the chain remains unbroken.
So the real question we should be asking is, “What’s the next weakest link?” In other words, if all the Apple Pay banks implement strong identification and authentication into their processes, what will be the next link of the chain to be broken? The fraudsters aren’t going to give up, after all. I don’t know the answer to that question, but I sure hope that all the network-level communications between an iPhone and the point-of-sale terminals are strongly encrypted, with equally strong mutual authentication between both endpoints.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.