Apple Pay Gets Thumbs Up From Security Experts on UK Launch

Security experts have broadly welcomed the arrival of Apple Pay in the UK today, arguing that the service provides at least as safe and secure a way to transact as traditional chip and PIN cards.

Consumers with an iPhone 6, 6 Plus, or Apple Watch can from today ‘touch and pay’ in any store that accepts Visa contactless payments – 250,000 locations – and many others besides.

Big name brands and service providers including Transport for London, Boots, Lidl, Post Office and Starbucks are all on board, with more surely to follow.

There are several elements designed to boost security.

First, users must place their finger on the phone’s Touch ID biometric authentication system before each payment, or else enter their four-digit passcode.

Find My iPhone can also be invoked if a device is lost or stolen to remotely remove the ability to pay via the handset.

But most importantly, Apple Pay uses tokenization so that no card details are stored by the merchant or even transmitted. Instead, when a user registers a card, the details are converted into a unique device account number (DAN) and stored encrypted on the secure element of the chip itself.

When a payment is made, the DAN is combined with a one-time security code unique to that transaction and once the user authenticates with finger or passcode, the secure element validates and sends the data to the payment processor, which then confirms the payment.

The Apple Pay secure element is as secure as the chip in UK chip and PIN cards, according to Liam Lannon, payments transformation consultant at Sopra Steria.

“Consider that the underlying architecture and standards which define what a secure element is, what it does and how it protects sensitive data, also cover the security hardware which we see every day in our chip and PIN cards. In fact, in many cases, exactly the same hardware as is used in our EMV-compliant chip and PIN cards will be integrated into handsets like the iPhone 6 as the secure element,” he explained.

“Not only is the hardware basically the same, the microcontroller which is at the heart of chip and PIN cards and secure elements will have been subject to rigorous security testing to ensure that it is fit for purpose, i.e. able to withstand external attacks and to employ tamper-resistant techniques to ensure that information is wiped should a hardware attack be detected.”

Ian Hermon, mobile payments specialist at Thales e-Security, added that Apple Pay would likely drive the popularization of mobile payments and contactless.

“Apple will find itself in a constant battle to balance user convenience while ensuring security is factored in from the start. This simply has to be a number-one priority if consumers are going to put their trust in mobile payments,” he added. 

“With that in mind, it is encouraging to see tokenization at the heart of the security agenda, which will help issuers with payment channel separation and also protect the merchant in the event of a data breach.”

But the proprietary, hardware-based security approach favored by Apple might not be enough to win over merchants, despite being stronger security-wise than software-based systems, argued Winston Bond, technical director of Arxan Technologies.

“The software-based, host card emulation (HCE) approach found in Android Pay is close on its heels. We have seen advancements with the HCE approach come a long way in recent times, as it achieves a similar level of security protection as hardware-based, and offers additional advantages of speed and agility,” he added.

“In fact, with Android platform global adoption at least four times greater than iOS, the probability of success in defining a mobile payment ecosystem with mass adoption and greater longevity resides in the software-based approach’s favor – as long as certain security precautions are taken, such as tamper-proofing software and white-box cryptography found with HCE.”

Yet Apple Pay is not 100% secure. In the US, reports emerged earlier this year that fraud losses had spiked thanks to poor authentication of users by banks during the new card provisioning process.

Cyber-criminals were calling up banks and having stolen credentials loaded onto new Apple Pay-enabled iPhones, it was revealed.

That said, this is something that UK banks could easily look to put right from the start, according to Alisdair Faulkner, co-founder of global fraud prevention firm ThreatMetrix.

“One advantage adoption has in the UK over the US is a consumer base that is not addicted to swiping a card and is already familiar with NFC technology, whether it be buying a pint or tapping their Oyster card on their daily commute on the Tube,” he explained.

“This consumer and merchant readiness, combined with a more concentrated banking sector that has had the opportunity to learn from the on-boarding and associated fraud rates of US banks, bodes well for Apple Pay adoption and usage.”

Ian Rutland, CEO of mobile payment device maker Miura Systems, was also enthusiastic about the launch.

"Apple Pay offers a consumer a safe and secure way to pay using a mobile technology that millions of consumers are becoming increasingly more familiar with, just a simple tap and you are away,” he told Infosecurity.

“As the rollout starts in the UK we have seen growing demand for the deployment of contactless enabled solutions which demonstrates just how much mobile payments are the focus for this year."

What’s Hot on Infosecurity Magazine?