Today was a big day in the world of Apple. I am a converted Apple fanboy. Once a long time, hard nosed Windows master I was turned to the lighter side of the force a few years ago and slowly have replaced Windows based systems with Apple ones. iPads, iPhones, iMac, Apple TV, Macbook and soon a new iPhone 6+ and two Apple Watches. Yes, Apple will take my money. Putting the gadget and functionality aspects aside from today’s Apple announcement my information security mind focused in on Apple Pay. The new digital wallet and payment system with the iPhone 6 and Apple Watches. If Apple was going to change the world, Apple Pay is going to be how.
In a nutshell Apple Pay lets you pay with your iPhone 6 and Apple Watch without every taking out or having to carry your credit/debit cards. It uses Near Field Communication (NFC) with special terminals to transmit the data. Some credit cards and retailers already have these payment systems in place to wave your credit card, same concept, however Apple does something the retailers, customers and industry have been trying to do for decades. Better protect your account information.
Your credit card, the plastic square, has all the information needed to ruin your day. The account number, expiration, your name, even the security code is on the back. All static, all visible, and all a person needs to make purchases without restrictions. For retailers that accept credit cards they must adhere to the Payment Card Industry policies and procedures because they store your account information and they are liable if they lose it. This is why security breaches make the news, everything criminals need to steal identities and commit theft and fraud are stored in all the retailers systems. Apple Pay changes this.
Apple Pay uses the device as the authorizing factor. When you swipe your phone to pay, you must use the Touch ID to verify you, the account owner, is making the purchase. If you phone is stolen the criminals won’t be able to purchase anything. But the security built into Apple Pay doesn’t stop there. When you add a credit card to the Passbook on the phone the card information is stored in a new, isolated, encrypted container Apple calls the ‘secure element’. If the phone is stolen, in theory, the secure element cannot be read. A user can also use the Find My Phone feature and remotely wipe the phone and the secure element. This process keeps the card’s information private so in that scenario you just need to deal with wiping the phone and not canceling and getting new cards for everything.
Apple Pay’s payment process is the core to the privacy. The transaction is a dynamic key generated at the time of the payment, used to verify the card and the retailer’s point of sale system then becomes an authorized issuer of the payment between you and the bank. The card account numbers and information is not given to the retailer, it’s never transmitted because Apple Pay doesn’t work that way as traditional credit cards have for 50 years.
Apple Pay disconnects your account information from the public’s eyes. If it works as it’s been detailed out today, this will protect any user from a retailer getting breached again. The criminals will find less usable data about you to exploit, if anything at all. Your financial card is protected. As an added bonus this will lessen the PCI DSS stress on retailers because Apply Pay users don’t send their account information therefore retailers aren’t storing them.
Once the devices are available and the ethical hacking public gets their hands on it we will see how secure the secure element it. As it sits today, this could be the catalyst for others to follow suit and change the way we conduct electronic transactions. Of course this all comes down to retailer and user adoption, but from a technology standpoint this should begin to spur capitalistic competition and move the industry in the right direction by putting security first for a change instead of an after-thought.
End of Line
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.