September 10, 2014

Apple Pay: is it safe to pay with your iPhone?

News

On the 9th of September, Apple showed some new devices and its new payment system based on an NFC chip, Touch ID sensor and Passbook app. So we had a look to find out how it works, what it gives us and how well this system is protected.

The 100-minute Apple event, which took place in the Flint Center in California, showed the world a couple of new devices, traditionally split the spectators into three usual groups like ‘Apple is not as good as it used to be’, ‘We already have seen it on Android’ and ‘Shut up and take my money!’ We don’t want to associate ourselves with any of these as there is something much more interesting than a screen size and holy wars — Apple Pay, the new payment system which was developed by Apple with the involvement of Visa, MasterCard and AmEx, and based on an NFC chip, Touch ID sensor and an app called Passbook. Apple wants to make your iPhone do the same things your wallet and credit cards do, but is it secure enough to be sure your money won’t end up in criminals’ pockets?

New-iPhone6 (1)

Apple Pay (yes, it seems the company is getting rid of that ‘i’ prefix now) is a mobile payment system, which combines the principal of providing transactions with some interesting technological solutions. NFC, Touch ID, Passbook — everything here works together to make your shopping more comfortable and secure. At least so the keynote told us.

So, how does it work? Actually pretty much the same way as PayPass or PayWave cards do: all you need to do is just hold your NFC-enabled payment device near the reader for a moment and then confirm the transaction. In a case of a credit card it is a PIN code, but Apple Pay uses the new iPhones’ Touch ID scanner which you need to hold your finger on while making a payment.

Apple Pay looks secure, but storing all your credit card information on your iPhone may be bad for your money.

To make it work first you need to scan your credit cards with your iPhone so all the info like card number, expiration date and such stuff goes right to the Passbook application. And then comes the most interesting and complicated part of Apple Pay technology. Instead of using your actual credit or debit card numbers during the payment process, a unique Device Account Number is used. Once created, this kind of token is assigned to a device, where the card information is, and securely stored (encrypted, of course) in a dedicated chip in the new iPhones and Apple Watch. So you pay with a non-identifiable special code, not with your real credentials.

Such approach is good for at least two reasons. First, neither a shop, nor a criminal (who can try to intercept the data) could get your credit or debit card information during a transaction. In the worst scenario an attacker could have only a token number. Second, even if the number is compromised, it’s worth nothing, because it works only when transmitted from the specific device which this number was created on. If the device is stolen, then comes Touch ID protection. In any case, there’s always the Find My iPhone service, which you can use to lock your iPhone or even wipe all the info from it, including card information, so you won’t need to lock your credit cards or bank accounts to protect your money from being stolen.

But is this system really secure? Dmitry Bestuzhev, an expert from Kaspersky Lab, says there’s a problem: “Touch ID doesn’t always work properly. That’s why Apple allows you to enter a PIN. For example, when your fingers are wet the Touch ID may not wok. The same shortcut scheme may be abused by cybercriminals while authorizing payments.” Keeping in mind that paying with Apple Watch doesn’t require any extra interaction, chances are that your devices may be used without your permission to drain your bank account.

There’s one more concern: the way the card information is stored. As you know, almost every kind of data stored on an iPhone can be synchronized with a number of trusted iOS devices. And it’s not just photos or browser tabs, but also passwords, which are stored within an app called Keychain. So if credit and debit card credentials or tokens are stored in a same way, enabling the device to synchronize with some other smartphones, it can be very bad for you and your money. Besides that, an attacker can do the same thing as you — enter your Passbook and get all the information about your cards, unless Apple makes it impossible or very difficult to do this. We’ll know in October if it will be so or not, when Apple Pay officially goes live across more than 200,000 US stores. We will keep you updated, so stay tuned.