Apple Pay’s security pros and cons

Taking credit card numbers out of transactions is a helpful step that could alleviate the risk of giant data breaches, but that doesn’t mean the bad guys are going to give up and become accountants

Apple Pay Martyn Williams/IDG News Service

An iPhone 6 being used to make an NFC payment via Apple Pay

Apple Pay is up and running. I’m excited about that as a consumer but, naturally, wary about it as someone who works in the security field. So let’s consider Apple Pay from both perspectives — the consumer’s, and the security professional’s.

When I was deciding whether to get an iPhone 6, Apple Pay was the most persuasive feature. Apple Pay works (remarkably seamlessly) on the iPhone 6 and 6 Plus. It’s available to the iPhone 5 range of devices, but only in conjunction with the upcoming Apple Watch. And it can be used for in-app purchases on some iPads. But right now, the only way to get the full experience of Apple Pay in stores is with one of the newest generation of iPhones. Here’s how it works. You register your supported credit cards in the device’s Passbook app. When you want to buy something from a retailer that supports Apple Pay, you just point your device at the near field communication (NFC) payment terminal, and your payment information is delivered from your iPhone to the payment terminal over a radio frequency connection. Then you just do a fingerprint scan on your phone’s TouchID sensor to verify your identity. If all is OK, your phone vibrates and tells you the transaction was approved. It all can be done in a single motion. Note that you may still need to sign a receipt as well, depending on the merchant and the amount of the purchase.

It’s a piece of cake from the consumer perspective, the only tricky part being finding merchants that support the technology. Right now, they are few and far between, and the media gave a lot of attention when a few prominent retailers backed off from their plans to support Apple Pay. With a bit of luck, the situation will improve over time as more merchants and card issuers sign up.

So how about the security end of things? Let’s start with the good news. The clincher is that merchants don’t get access to your actual credit card account number; they only see your card’s“Device Account Number” (DAN), which is a (presumably) disposable account number. In the payment world, the DAN is a token that is calculated for each device. In a transaction, the DAN is combined with a one-time transaction ID, making it exceedingly difficult for an attacker to use your DAN via replay or on another device.

Further, if a retailer that you have done business with via Apple Pay is compromised, your card issuer should be able to assign you a new DAN without having to change your account number itself. This is an improvement over the current security that surrounds the use of credit cards in the U.S., though I’d be even happier if the DANs themselves were used only once and were random and dynamically derived, using a strong source of cryptographic randomness, like the iPhone’s crypto hardware. Perhaps that will come in Version 2.

To continue reading this article register now

8 highly useful Slack bots for teams
  
Shop Tech Products at Amazon