How Secure IS Apple Pay?

Penetration Testing Experts


How Secure is Apple Pay?

Apple has launched Apple Pay, a new way to pay for everyday items, which will be “easy, secure and private” according to its CEO Tim Cook.

But how secure will this new technology be? After the huge furore surrounding the recent leak of private celebrity photos from the iCloud, and recent high profile retail data breaches, Apple is desperate to reassure cynical shoppers that security is built into the very core of its new payment feature.

You will be able to use your iPhone 6, iPhone 6S or Apple Watch to pay for items from October 2014. It sounds easy – you add your credit card details to Passbook, wave your phone or watch near a reader, input a pin code, or use fingerprint technology (Touch ID) to verify the payment.

So what is Apple Pay doing to reassure its customers about security?

The key issue is that Apple won’t store any customer financial information on their servers or in the device, but instead will be using “tokenization” to identify a customer when paying.  When a person adds a credit or debit card number to Passbook, another account number is used to identify the person RATHER than the actual card number. This new account number is then stored in an encrypted chip (“secure element”) in the iPhone or Apple Watch. So the secure element is in the actual device, and not on any Apple servers. Your credit card details are never stored, and never shared with the merchant. Therefore if the merchant is hacked, the attackers won’t have access to any credit card details…

Another security layer in the Apple Watch is that it can tell when it’s being worn, thanks to sensors in the back of the device. So when you take the watch off and then put it back on, the user must re-enter a PIN code to authorize any payments.

However, even though it may be too early to pronounce judgement on the security of Apple Pay, 2-sec thinks that there might be some potential risks in the future.

If the implementation of the system works smoothly, flawlessly even, in October, then all well and good. But if one aspect fails – either the secure data store, or the biometric fingerprint sensor or the till readers, then there may be issues. They all have to work together without any problems.

Apple Pay also hasn’t fully addressed maybe the simplest way to hack into any account – a criminal physically stealing an iPhone or Apple Watch, or by hacking an account to find login details.

Apple is also placing more trust in third party app developers such as Paypal (through the Braintree Payment System) Uber and Groupon. Many applications have been shown to contain security vulnerabilities, and it means that Apple Pay will HAVE to rely on the security of these third party apps to ensure security of its own systems.

How about fingerprint reading? Biometric technology has never been invulnerable, and although you need the patience of a crime scene technician, it has been shown that it is possible to hack into an iPhone using fingerprint tech.

How about the problem of a compromised NFC reader or till machine?

The tokenization system does add a formidable layer of security to this system, and Touch ID adds another. But it is a complicated system, with different devices and layers, so naturally there are many more aspects that may be attacked.

Apple have been brief when unveiling the security aspects of this new payment method, so 2-sec is keen to see further in depth details of exactly how the system will work in its entirety.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top