M-Commerce

Apple Pay Could Slam Door on Data Thieves

Checkout lanes across the U.S. soon will sport NFC readers, now that an Army of iPhone wielders is mobilizing. Other smartphones already support NFC, but there hasn't been a unified effort to get consumers and retailers interested in using it. Apple Pay will do the trick, and the timing couldn't be better. Customer data thefts at high-profile retailers could become a thing of the past.

Despite the efforts of some big name tech players, consumers have been reluctant to turn their smartphones into wallets. That could be about to change with Apple Pay.

Apple Pay is the new mobile payment system Apple introduced with its iPhone 6 and 6 Plus earlier this week.

“Apple being Apple is going to change the game,” Christopher Budd, threat communications manager at Trend Micro, told the E-Commerce Times. “Apple Pay will be a tipping point for mobile payments.”

The mobile payment market has been trapped in a chicken-and-egg quandary. “It’s a classic bootstrapping problem,” Budd said. “You can’t use it if the merchants don’t have the reader, and the merchants aren’t going to have the reader if there’s no one to use it.”

Apple’s introduction of a secure way to perform retail transactions couldn’t come at a better time, as yet another mammoth breach was confirmed by Home Depot just hours before Apple Pay was introduced to the world.

Apple Pay is the most likely solution to the U.S. data breach crisis, Budd noted.

Wave to Pay

Unlike other mobile wallets in the martket, Apple Pay is both a hardware and software solution.

You can enter your credit card information into the phone manually, by photographing a credit card, or by transferring the data from an iTunes account.

Once its entered, the credit card number is assigned a device account number. That number is stored in a secure element — a chip that’s the hardware piece of the system.

“It’s a little Fort Knox on your phone,” Budd said.

No information stored in the secure element is ever seen by Apple.

When a purchase is made by waving the phone near a point-of-sale terminal that supports NFC — a short-range wireless technology — and holding your finger on the iPhone’s fingerprint reader, the device account number and single-use security code are transferred to the terminal to perform the transaction.

“Apple Pay is secure, because the actual credit card never hits the retailer — ever,” Chris Ciabarra, CTO of Revel Systems, told the E-Commerce Times.

Is It Target-Proof?

In carrying out the rash of data thefts from retailers over the last year, hackers used malware to steal information from point-of-sale terminals as the payment cards were swiped. A cybercriminal can steal the information Apple Pay provides the retailer, but it won’t do the crook any good.

“They’re just getting a token … . Without a bunch of pieces from the infrastructure, it’s unusable to an attacker,” Phil Dunkelberger, CEO of Nok Nok Labs, told the E-Commerce Times. “It makes it much more difficult to attack the system.”

As secure as Apple Pay is, there may be areas out its control that could present opportunities to hackers.

“Apple doesn’t control all the back-end systems that will be implementing this,” Dunkelberger said. “Those systems could be attacked.”

Developers also could introduce vulnerabilities to the system.

“Whenever you deal with application programming interfaces, you’re going to deal with guys who cut corners — guys who don’t do what Apple tells them to do to be secure,” Dunkelberger explained.

“The points of attack will come out in the implementation of Apple Pay, but always in the real world, someone figures out a point of attack,” he added. “There are no perfect security systems.”

New Paradigm

Nevertheless, Apple Pay represents a step up from the prevalent payment methods in the market.

“There are new risks with these emerging technologies, but these are small compared to traditional magnetic cards, which have been around for decades,” Richard Moulds, vice president for strategy at Thales e-Security, told the E-Commerce Times.

No matter how usable and secure Apple Pay may be, old habits are hard to break.

“It’s going to have to change consumer behavior,” Ramon T. Llamas, a mobile analyst with IDC, told the E-Commerce Times.

“Apple Pay is a whole new usage paradigm,” he observed. “There are people willing to change, but there is a larger number that Apple will have to persuade to change.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in M-Commerce

E-Commerce Times Channels