The firewall -- has the "magic" box lost its mojo?
May 3, 2016
Will Apple Save the ePayment World?
September 23, 2014
Since the announcement of the iPhone 6, I have seen some pretty strong claims in the media about how Apple Pay would be our salvation from credit card security woes and identity theft. Now, I am an Apple fan, but those claims sounded a bit strong. As such, I decided to dig into the technology to be used by Apple as part of this service, and what if any potential security exposures exist.
According to a related patent filing by Apple earlier this year, their approach uses a “Secure Element”, which is a secure memory and application execution environment on the phone, with communication to a Point of Sale device (POS) either by Bluetooth, or Near Field Communication (NFC), a wireless communication technology with an effective range of 10 cm.
We now know from the first iPhone 6 teardown, that the phone has two NFC chips. One is the NXP 6510, which incorporates the Secure Element, and normally has a significant antennae requirement. They have also included the AMS AS3923 chip, which boosts communication, reducing the antennae requirement.
So far, there is nothing unusual. This approach has been used by other devices and services, including Google Wallet. Based on Apple’s announcement, Apple Pay has two things going for it that we have not seen before:
The use of a token in place of storing actual credit card numbers on the phone.
Agreements with card companies and processors that others, such as Google Wallet, failed to achieve.
Thus, from what we now know Apple and other sources, including the publishers of the software development kits that developers will use to integrate to merchant equipment, the process would work as follows:
A picture is taken of a new credit card to be added to Apple Pay.
The phone encrypts the card information, and transmits it to the card issuer.
The card issuer, either themselves, or via a third party, generates a token, in the form of a number of similar length. The token is encrypted, and sent back to the phone. The token, not the actual card number, is stored in the Secure Area on the phone.
To make a purchase, the user touches the phone to the point of sale terminal at the store, or gets it within 10 cm. This generates a message on the phone allowing to user to select a card, and approve the transaction via the incorporated finger print reader.
The phone encrypts the token, and sends it to the point of sale terminal. It transmits the token and user information up the line to the card issuer, which uses the token to verify the card, and returns approval or denial information.
The good news in this design is that the actual card number is not stored on the phone, and the token that is on the phone, is secured and always encrypted during transmission, and requires a finger print for activation.
Until the service is actually released and can be analyzed further, there are security concerns:
The NFC transmission could in theory be subject to a “man in the middle attack”, which involves another device intercepting the communication. This is not a major concern at this point, because of the close proximity and encryption involved.
Shortly after the release of the first finger print reader in the iPhone 5s, concerns were raised about a potential vulnerability. Information Week reported in September, 2013 that a fake finger could be used to bypass it. It is not clear if the iPhone 6 improves accuracy.
We are told that Apple Pay will be supported on older phones when used with the Apple Watch. The problem is that no finger print reader exists on the older phones.
Finally, possession of the phone is everything. If someone steals an iPhone 6 and can bypass the finger print reader, they could in theory make whatever purchases they wanted.
Alas, while Apple Pay looks to be a major step forward in credit card security, it is not perfect. Card owners must still protect their information, and monitor their transactions.
The best news in all of this is for Apple stockholders. Apple apparently has agreements in place with major card issuers, which will give them a piece of each transaction. Whether you decide to buy an iPhone 6 or not, Apple stock will be a good deal!