Apple Pay: Can You Trust It?

The Apple Pay interface. Credit: Apple, Inc.

(Image credit: The Apple Pay interface. Credit: Apple, Inc.)

UPDATE: Apple on Oct. 16 announced that Apple Pay would become available for use Monday, Oct. 20. The company introduced two new devices, the iPad Air 2 and the iPad mini 3, upon which Apple Pay will work.

Yet unlike the iPhone 6, iPhone 6 Plus and Apple Watch, the new iPads will not be able to make purchases at retail locations, but only in iOS apps. Apple did not explain why; it's possible the new iPads do not contain the NFC chips required to communicate with retail point-of-sale devices.

Apple also said 500 more U.S. banks and other payment-card issuers would support Apple Pay, but named only five: Barclaycard, Navy Federal Credit Union, PNC, U.S. Bank and USAA. The six previously announced banking partners were American Express, Bank of America, Capital One, JPMorgan Chase, Citibank and Wells Fargo.

------------------

Apple's Apple Pay mobile-payment system, introduced Sept. 9, promises to finally revolutionize retail shopping in the United States after previous failed attempts by Google Wallet and Isis, aka Softcard. But despite Apple's claim that Apple Pay is "fast, secure and private," can you really trust it?

First, the good news: Apple Pay uses a security feature called tokenization that's been long desired by the payment-card industry. With tokenization, each credit card's account number is substituted with a "token," a one-time string of largely random data, before the merchant's point-of-sale system even receives the payment data.

MORE: With Apple Pay, iPhones Finally Have a Mobile Wallet

The true account number is never shared with the merchant. With nothing to steal, nothing can be stolen, either by malware in the merchant's payment systems à la Target or Home Depot, or by an unscrupulous cashier with a hidden card swiper.

By including tokenization, which until now has not been widely adopted, Apple Pay is already more secure than all standard credit-card formats, including the EMV "chip-and-PIN" format widely used outside the U.S., not to mention Google Wallet.

More data, more to steal

But there's also some bad news. Apple Pay may make the newly introduced iPhone 6 and iPhone 6 Plus even more desirable for thieves to steal. The Apple Watch, also introduced today, extends Apple Pay capabilities to the iPhone 5 line, but adds yet another "hot" device to be snatched on subway cars and buses.

Apple is also placing a lot of trust in app developers. Target, Groupon, Uber and OpenTable were all named as companies that would incorporate Apple Pay directly into their iOS apps for mobile online transactions, and others will follow.

"Ninety-six percent of the applications we scanned in 2013 contained at least one security vulnerability," Mike Park, managing consultant at information-security company Trustwave, said in a statement following the Apple presentation. "With the introduction of this type of functionality into a platform, it makes every device a possible target."

Stolen fingerprints, stolen photos, stolen phones

Then there's Touch ID. Users of an iPhone 6 or 6 Plus will press the Touch ID button to make a purchase while holding the phone next to a compatible card reader. The implication is that the fingerprint reader built into Touch ID will scan the user's thumb to verify him or her as the authorized user, but previous experiments have shown that it's quite easy to fool Touch ID with a rubber fingerprint.

Also troubling is the matter of Find My iPhone. At the Sept. 9 Apple event, Apple Senior Vice President Eddy Cue promised that "if your iPhone is lost or stolen, you can use Find My iPhone to quickly suspend payments from that device."

But in order for Find My iPhone to work, a lost or stolen phone has to be able to receive cellular or Wi-Fi signals. It can't do so if a thief turns off the iPhone immediately, or drops it into a radio-proof Faraday bag that can be easily bought at a computer-parts store.

Apple counters that the credit-card numbers aren't even stored on the phone because each account number is replaced with a device-specific, encrypted Device Account Number. But Apple hasn't explained who will be assigning each Device Account Number, or how the number will be transmitted to a phone.

Worst of all is one of the primary methods for adding a credit card to Apple Pay: The user simply takes a photograph of the card with the iPhone and sends it to Apple.

The young celebrities who took nude selfies, only to have them revealed en masse in early September, can tell you just how secure photographs taken with an iPhone are.

"We cannot say with certainty that mobile payment systems are more secure than payment cards; only time will tell," Trustwave's Park said. "With any new addition or feature to a platform — even ones meant to enhance security — this expands the overall attack surface, making it attractive for criminals looking for vulnerabilities to exploit."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.