Will Apple Pay Be Safer? A ThreatTrack Security Expert’s Opinion
When someone makes financial decisions in your name without your consent, you may wake up one day to find creditors breathing down your neck and your credit score plummeting from unpaid debts. In fact, roughly 12 million people become victims of identity theft every year.
So when Apple revealed the iPhone 6 will have a new mobile payment system, Apple Pay, consumers asked a simple question — will it be safer than physical credit cards?
We spoke with Dodi Glenn, Senior Director of Security Intelligence and Research Labs at ThreatTrack Security, to find out about the safety pros and cons of Apple’s new technology.
How Apple Pay Works
Similar to Google Wallet, Apple Pay allows you to store your credit and debit card information on your phone. When you’re ready to check out online or in a physical store, you’ll be able to choose whichever card you’d like for the purchase.
In physical locations, Apple Pay will allow you to transmit your credit or debit card information to a store’s point-of-sale via near field communication (NFC), a wireless transmission of data over a short distance. Simply place your finger on the phone’s fingerprint reader (Touch ID) and place it near the store’s “reader.”
Think of someone using a key card to open a gate at a parking garage or gated community.
Apple said the information will be encrypted as a “Device Account Number” and stored in a special chip in the phone called the “Secure Element.” They go on to state that none of your financial information or transactions will be stored on Apple servers — which is a good thing, considering all of the concerns over the recent iCloud hacking fiasco.
Comparing Apple Pay to Traditional Credit Cards
“If you look at the traditional way of how credit cards work, it’s a very insecure type of transaction,” Glenn said. “You have a card with a magnetic strip that’s very easy to capture, and you’ve also got a very simple system that takes a copy of the credit card number and sends it off to servers that are located who knows where from the consumer perspective.”
He added that credit cards are “fairly easy to recreate” and thieves could easily find the necessary hardware on sites like eBay and Amazon.
However, as far as transactions are concerned, the logistics go relatively unchanged.
“Are transactions coming from a different source? Yes,” Glenn said. “Is the processing upstream any different? No, not at all. They’re still going to be sending the same data back and forth. It’s really about where the data gets initiated from whether it’s a credit card or a phone.”
Criminals and Skimming Technology
Criminals have developed sophisticated tools over the past decade to capture valuable information from consumers’ credit cards. One such technology is the skimmer, a device that sits hidden within card readers on ATMs and other transaction points.
Some thieves are able to skim your credit card without it ever leaving your wallet by using portable scanners that cost less than $100. This works by picking up signals from cards embedded with an RFID chip, the predecessor to the NFC technology used in Apple Pay.
According to Glenn, one of the main differences, though, is Apple Pay won’t be continuously susceptible to these kind of attacks because it’s not “on” 24/7 and will likely not respond to any sort of external signal until the user actively engages in a transaction — “I don’t think you’re going to need to wrap your cell phone in aluminum foil to protect it.”
Even then, a criminal would have to be very close to the device during the transaction.
“If you think of NFC, it’s similar to a remote control for your TV,” he said. “If you’re six, three or sometimes even one room over, you won’t necessarily get the remote to work. It has to be fairly direct and there’s a certain range. It’s not like it’s some global reachable thing where I could stand miles away and ‘sniff’ the air for all these transactions occurring.”
Even if someone were able to intercept the data being transmitted from the device to the merchant, he doubts they’d be able to do much with it.
“With encryption, it’s a lot more difficult to put something in its way and intercept the data,” Glenn said. “You’d have to be able to speak the Apple-speak.”
“With encryption, it’s a lot more difficult to put something in its way and intercept the data. You’d have to be able to speak the Apple-speak.”
Jailbreaking and Other Mobile Threats
Despite the additional security measures unique to NFC technology, users will still have to consider threats from within the device itself, Glenn said.
He warned against users jailbreaking their phones, which is the process of exploiting bugs in the phone’s operating software in order to remove limitations. Jailbreaking allows users to download apps not approved by Apple, apps which may manipulate the operating system itself and allow certain degrees of customization users wouldn’t find with a phone straight out of the box.
“My bigger concern from the digital side with a payment system like Apple Pay is people running inappropriate software on their mobile devices,” Glenn said. “What sort of protections can come down after being jailbroken?”
Glenn himself has a jailbroken phone, and for this reason said he would not use technology like Apple Pay on his device — “I don’t trust the applications I’ve installed on there to not be looking for certain content that’s finance-related.”
Users should also be on the lookout for malware and viruses that could register keystrokes on mobile devices. While the presence of malicious programs may not be obvious to most users, a high-quality mobile security app could help weed out dangerous software.
It all boils down to one question — is Apple Pay safer than credit cards?
“I think it is,” Glenn said. “It’s very easy for someone to just put a skimmer on [a card reader]. I think it’s definitely safer, especially with the ability to do digital encryption. A physical card is not encrypted at all… I don’t think Apple Pay is really any different than conducting financial transactions over a desktop PC or Mac.”
Even with the added security measures, users should still take additional precautions:
- Treat your device like you would treat your computer, cash or credit cards.
- Make sure it’s password secured.
- Never use public wifi to conduct any financial business.
- Use a bank or financial institution’s app instead of their website whenever possible.
- Disable automatic password fill-in for finance apps and websites.
- Regularly check your debit and credit accounts, as well as credit report, for any unusual activity.
- In the event that you do lose your phone, initiate a remote wipe. Both Apple and Android devices have this function.
However, it’s a fact of life that your finances will always be at risk in one form or another. Despite new security measures, consumers should never assume they’re completely immune to identity theft.
“It is technology,” Glenn said, “And the more we adapt with technology, the more hackers are looking to infiltrate these sorts of features.”
Photo credits: cryptocoinsnews.com, eBay, Mark Eades/Orange County Register