Along with news of the iPhone 6 and the smartwatch, Apple made a splash this week with its Apple Pay announcement, detailing an ambitious plan to get into the mobile payments business. Security researchers so far seem bullish on the service’s security approaches.
Apple Pay is essentially a digital wallet, which can store credit and debit cards on the iPhone, and enable users to use them via near-field communications (NFC). Instead of swiping a card, users can pay by waving or tapping the phone using a sensor—for a transaction that takes about 10 seconds, the company said.
As a security measure, checking out requires users to touch their finger to the iPhone's fingerprint sensor to approve the transaction; the card will then be charged automatically.
The information on the phone itself is protected by something that Apple calls ‘the Secure Element.’ Account numbers are not sent to any Apple servers or shared with retailers, who instead get a proxy account number. Each transaction is protected by a one-time code.
“With this announcement, Apple validates the data-centric security model, and shines a spotlight on the need for the payment world to move on from vulnerable static credit card numbers and magnetic stripes to protected versions of data – tokenized payments,” said retail security and payments expert Mark Bower, vice president of product management for Voltage Security said in an emailed note. “Through the use of this data-centric security strategy, Apple Pay reduces the risk of data breaches and credit card theft where it is supported. However, the world today is still in an early adoption phase with regard to new payment methods and mobile wallets, and retailers still have to contend with EMV and mag-stripe data and advanced threats. The good news is that even with innovations like Apple Pay, mixed payment environments can be secured end-to-end from the point of card read to the secure payment host, enabling merchants to accept new and old payments protected under a powerful unified data protection framework to thwart advanced threats, all while ensuring a seamless customer experience.”
And in case of loss or theft, users can disable Apple Pay via iCloud's 'Find My iPhone' feature.
"Apple is being smart in addressing all of the potential vulnerabilities in Apple Pay,” John Gunn, vice-president of corporate communications for VASCO told us. “The old approach to mobile security was to focus on protecting just the transaction. Today, it's moved to the bigger task of protecting the mobile device and all that it can do. Four and a half million mobile phones were lost or stolen last year; as the smartphone becomes a combined mobile wallet and authentication device, this will raise the stakes for everyone.”
Aside from the mobile commerce aspect, Apple Pay can also be used for e-commerce, and the company has already signed up a number of partners, including Uber.
Participating retailers include McDonald's and Whole Foods, here's a partial list, Babies R Us, Macy's, Walgreens, Disney, Nike, Staples, Subway, Panera and Sephora, and Visa, Mastercard and American Express are all on board for when the service launches in October.
Apple estimates that 83 percent of all credit card purchases will be compatible with the service.
“From the information released, Apple’s security measures are very sophisticated—and efforts to maintain the privacy and security of data will no doubt be at the core of their offering,” said Nick Pollard, senior director of professional services at Guidance Software, in a note to Infosecurity. “Time will tell if consumers are ready to swap cash and cards for mobile payments; that said, adoption rates for NFC payments are rising and the addition of mobile payments by Apple, which has a loyal base of customers, could shake things up further.”