Apple Pay’s security pros and cons

Taking credit card numbers out of transactions is a helpful step that could alleviate the risk of giant data breaches, but that doesn’t mean the bad guys are going to give up and become accountants

Apple Pay Martyn Williams/IDG News Service

An iPhone 6 being used to make an NFC payment via Apple Pay

Apple Pay is up and running. I’m excited about that as a consumer but, naturally, wary about it as someone who works in the security field. So let’s consider Apple Pay from both perspectives — the consumer’s, and the security professional’s.

When I was deciding whether to get an iPhone 6, Apple Pay was the most persuasive feature. Apple Pay works (remarkably seamlessly) on the iPhone 6 and 6 Plus. It’s available to the iPhone 5 range of devices, but only in conjunction with the upcoming Apple Watch. And it can be used for in-app purchases on some iPads. But right now, the only way to get the full experience of Apple Pay in stores is with one of the newest generation of iPhones. Here’s how it works. You register your supported credit cards in the device’s Passbook app. When you want to buy something from a retailer that supports Apple Pay, you just point your device at the near field communication (NFC) payment terminal, and your payment information is delivered from your iPhone to the payment terminal over a radio frequency connection. Then you just do a fingerprint scan on your phone’s TouchID sensor to verify your identity. If all is OK, your phone vibrates and tells you the transaction was approved. It all can be done in a single motion. Note that you may still need to sign a receipt as well, depending on the merchant and the amount of the purchase.

It’s a piece of cake from the consumer perspective, the only tricky part being finding merchants that support the technology. Right now, they are few and far between, and the media gave a lot of attention when a few prominent retailers backed off from their plans to support Apple Pay. With a bit of luck, the situation will improve over time as more merchants and card issuers sign up.

So how about the security end of things? Let’s start with the good news. The clincher is that merchants don’t get access to your actual credit card account number; they only see your card’s“Device Account Number” (DAN), which is a (presumably) disposable account number. In the payment world, the DAN is a token that is calculated for each device. In a transaction, the DAN is combined with a one-time transaction ID, making it exceedingly difficult for an attacker to use your DAN via replay or on another device.

Further, if a retailer that you have done business with via Apple Pay is compromised, your card issuer should be able to assign you a new DAN without having to change your account number itself. This is an improvement over the current security that surrounds the use of credit cards in the U.S., though I’d be even happier if the DANs themselves were used only once and were random and dynamically derived, using a strong source of cryptographic randomness, like the iPhone’s crypto hardware. Perhaps that will come in Version 2.

But while I see ways to make Apple Pay more secure than it is, it’s still a big improvement over what we currently have. Even the much-ballyhooed Europay Mastercard Visa (EMV) system that’s coming along doesn’t entirely do away with the transfer of your credit card number to the merchant. Most EMV cards still have a magnetic stripe that contains your account information, and the payment terminals can still read your account number from the EMV smart chip itself. And, as we learned last year in the Target breach, the payment terminals themselves can be compromised to harvest account data and send the data over to the miscreants that want to steal our money.

So, although I am using Apple Pay as a consumer, the security professional in me still sees the potential for trouble. If the masses and the merchants they buy from all moved to Apple Pay or other systems that emulate its DAN approach to transactions, perhaps that would go a long way toward eliminating more big data breaches like Target and Home Depot. But does that mean the money-stealing miscreants of the world are simply going to give up their battle when faced with that? Of course not.

If payment terminals become unviable as attack targets once they are no longer privy to real account data, our adversaries will simply turn their attention to the next weakest link in the transaction chain. That’s likely to be the mobile devices themselves. With that in mind, I read about the recent Masque Attackon iOS devices with great interest. The fact that the Masque Attack appeared just as Apple Pay was making its debut appears to be mere coincidence, but it would be foolish for us to think that our adversaries aren’t looking for exactly this sort of opportunity to get Trojan horse financial malware onto our devices.

Indeed, now that money transactions have truly arrived on iOS, it’s only natural to assume iOS is going to be targeted more than ever by those adversaries.

Does that mean we should stay away from services like Apple Pay? We all make our own choices, but I for one welcome it and wish for the day when I don’t have to carry any credit cards at all. My wallet would be a lot happier anyway.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Copyright © 2014 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon