Apple Pay: Can You Trust It?

The Apple Pay interface. Credit: Apple, Inc.

(Image credit: The Apple Pay interface. Credit: Apple, Inc.)

UPDATE: Apple on Oct. 16 announced that Apple Pay would become available for use Monday, Oct. 20. The company introduced two new devices, the iPad Air 2 and the iPad mini 3, upon which Apple Pay will work.

Yet unlike the iPhone 6, iPhone 6 Plus and Apple Watch, the new iPads will not be able to make purchases at retail locations, but only in iOS apps. Apple did not explain why; it's possible the new iPads do not contain the NFC chips required to communicate with retail point-of-sale devices.

Apple also said 500 more U.S. banks and other payment-card issuers would support Apple Pay, but named only five: Barclaycard, Navy Federal Credit Union, PNC, U.S. Bank and USAA. The six previously announced banking partners were American Express, Bank of America, Capital One, JPMorgan Chase, Citibank and Wells Fargo.

------------------

Apple's Apple Pay mobile-payment system, introduced Sept. 9, promises to finally revolutionize retail shopping in the United States after previous failed attempts by Google Wallet and Isis, aka Softcard. But despite Apple's claim that Apple Pay is "fast, secure and private," can you really trust it?

First, the good news: Apple Pay uses a security feature called tokenization that's been long desired by the payment-card industry. With tokenization, each credit card's account number is substituted with a "token," a one-time string of largely random data, before the merchant's point-of-sale system even receives the payment data.

MORE: With Apple Pay, iPhones Finally Have a Mobile Wallet

The true account number is never shared with the merchant. With nothing to steal, nothing can be stolen, either by malware in the merchant's payment systems à la Target or Home Depot, or by an unscrupulous cashier with a hidden card swiper.

By including tokenization, which until now has not been widely adopted, Apple Pay is already more secure than all standard credit-card formats, including the EMV "chip-and-PIN" format widely used outside the U.S., not to mention Google Wallet.

More data, more to steal

But there's also some bad news. Apple Pay may make the newly introduced iPhone 6 and iPhone 6 Plus even more desirable for thieves to steal. The Apple Watch, also introduced today, extends Apple Pay capabilities to the iPhone 5 line, but adds yet another "hot" device to be snatched on subway cars and buses.

Apple is also placing a lot of trust in app developers. Target, Groupon, Uber and OpenTable were all named as companies that would incorporate Apple Pay directly into their iOS apps for mobile online transactions, and others will follow.

"Ninety-six percent of the applications we scanned in 2013 contained at least one security vulnerability," Mike Park, managing consultant at information-security company Trustwave, said in a statement following the Apple presentation. "With the introduction of this type of functionality into a platform, it makes every device a possible target."

Stolen fingerprints, stolen photos, stolen phones

Then there's Touch ID. Users of an iPhone 6 or 6 Plus will press the Touch ID button to make a purchase while holding the phone next to a compatible card reader. The implication is that the fingerprint reader built into Touch ID will scan the user's thumb to verify him or her as the authorized user, but previous experiments have shown that it's quite easy to fool Touch ID with a rubber fingerprint.

Also troubling is the matter of Find My iPhone. At the Sept. 9 Apple event, Apple Senior Vice President Eddy Cue promised that "if your iPhone is lost or stolen, you can use Find My iPhone to quickly suspend payments from that device."

But in order for Find My iPhone to work, a lost or stolen phone has to be able to receive cellular or Wi-Fi signals. It can't do so if a thief turns off the iPhone immediately, or drops it into a radio-proof Faraday bag that can be easily bought at a computer-parts store.

Apple counters that the credit-card numbers aren't even stored on the phone because each account number is replaced with a device-specific, encrypted Device Account Number. But Apple hasn't explained who will be assigning each Device Account Number, or how the number will be transmitted to a phone.

Worst of all is one of the primary methods for adding a credit card to Apple Pay: The user simply takes a photograph of the card with the iPhone and sends it to Apple.

The young celebrities who took nude selfies, only to have them revealed en masse in early September, can tell you just how secure photographs taken with an iPhone are.

"We cannot say with certainty that mobile payment systems are more secure than payment cards; only time will tell," Trustwave's Park said. "With any new addition or feature to a platform — even ones meant to enhance security — this expands the overall attack surface, making it attractive for criminals looking for vulnerabilities to exploit."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • cats_Paw
    Go ahead, trust them...hackers are counting on it.
    Reply
  • Fear Propaganda
    That's what they get for showing that disturbing "Barefootin" commercial over and over again. Cramming 5 different races into an unrealistic social scenario will result in your system getting hacked every time.
    Reply
  • hitman40
    It has been confirmed that the young celebrities who lost their photos because Apple was "hacked" was form simple password guessing...

    Essentially, the article's main point is that if you get your phone stolen, steps can be made by thieves to extract information somehow. However, Apple Pay is by far the most safest method attempted with their tokenization during payments. Here's to pushing the market forward.:D
    Reply
  • Sebc
    "But in order for Find My iPhone to work, a lost or stolen phone has to be able to receive cellular or Wi-Fi signals. It can't do so if a thief turns off the iPhone immediately, or drops it into a radio-proof Faraday bag that can be easily bought at a computer-parts store." To combat this, just require the device to have an active internet connection. Maybe it already has this requirement. We'll find out in October.
    Reply
  • maddad
    Why would put NFC on a tablet for purchases in a store? Who needs that, I never see anyone bringing their tablet into a store, but everyone brings there phone with them.
    Reply
  • Sebc
    14390241 said:
    Why would put NFC on a tablet for purchases in a store? Who needs that, I never see anyone bringing their tablet into a store, but everyone brings there phone with them.

    It doesn't need NFC for Apple Pay to be useful. You can buy stuff online with Apple Pay which will be very convenient for many (older) iPad users. If they ever were to add NFC it would probably be used for HomeKit (which they wouldn't even need since they already have Bluetooth LE)

    Reply
  • SirKnobsworth
    Yes, you can fool touch id with a high resolution replica of the original fingerprint. Why is this surprising or particularly scary?
    Reply
  • InvalidError
    14390298 said:
    Yes, you can fool touch id with a high resolution replica of the original fingerprint. Why is this surprising or particularly scary?
    I see two fundamental issues with using biometrics as a primary identity check:
    1- once compromised, they cannot be relatively conveniently changed
    2- in the case of fingerprints, the original fingerprints have a high probability of being somewhere on the device itself, such as the TouchID sensor. That makes it intrinsically extremely weak.
    Reply
  • arctic23
    I will have to see the picture for my self to post my opinion. From that picture it looks a little like 1980's design. How about thinner frame?
    Reply
  • ericburnby
    So much misinformation.

    Apple Pay is the safest payment system out there. It's superior to Google Wallet and uses the latest tokenization technology. Apple stores no information about you (including credit card data) on any of their servers. When you request a recent history of transactions your phone accesses your bank to download this information because Apple doesn't store it. Apple Pay wasn't an invention of Apple - it was created by the banks/credit card companies. Apple Pay is just the first company to integrate this system into a device.

    Stealing your watch to make purchases? Please, did the writer even do some simple fact checking? When the watch is removed from your wrist it immediately gets de-authorized and can no longer make payments.

    And talking about Touch ID being hacked? Hardly. I challenge anyone here to find a video of a Touch ID hack that shows in order: a person using their iPhone and a specific finger to unlock it, another person successfully lifting a print of the iPhone, making the mold and then unlocking the iPhone within the limited number of attempts before it locks.

    I've seen countless Touch ID hack videos and they all have some flaw. There's the one idiot who had a print on the iPhone screen masked off, and the print was flawless. The rest of the screen was clean and smudge free EXCEPT for the print. And people actually fall for this? There's a reason nobody produces an UNEDITED video of a Touch ID hack - it's because they tried several times, and only bother to show the time it worked instead of the numerous times it didn't work.
    Reply