If Apple has its way, you can soon do away with your wallet and instead tap your phone to pay for shopping. The group’s Apple Pay Wallet aims to replace cards with a system that uses the Passbook credit card-storage app and fingerprint ID security system. But just a week after attackers penetrated iCloud to steal naked celebrity photos, security firms have warned that more testing needs to be done on Apple Pay before shoppers can trust it with their payment details.
Apple Pay is designed to let iPhone 6 and 6 Plus owners use their smartphones to pay for purchases at shops as well as online via apps. The service will also be available on Apple Watch. It will be launched in the US in October. The system works using a technology called near-field communication (NFC), which allows mobile phones to communicate with other devices at close range. Users will pay by holding a phone close to a contactless reader with their finger on the touch ID fingerprint system. The Cupertinpo-based firm says it’s easier and more secure than using a credit or debit card.
One of the major security concerns is in the way Apple will let people add a different credit card to their phone, so it can be used instead as the one the company has on file. To add a card, a user will take a picture of it with their iPhone and send it to an Apple data center. There it will be verified it with their bank before it gets added to the user’s Passbook. However, it is unclear how the image is stored securely on the phone and how it is transmitted to prevent a criminal from intercepting it public WiFi.
Security experts are concerned this could be a major flaw in the system. ‘Storing it on your phone in some readable format would be a pretty juicy target,’ Christopher Carlis, security consultant at Trustwave told CSO online. Another important point to consider is that the Touch ID doesn’t always work properly if your fingers are wet, according to Dmitry Bestuzhev, Director of the Global Research and Analysis Team Latin America.
Apple allows customers to input a PIN instead of Touch ID. However, this shortcut scheme can abused by cybercriminals while authorizing payments, said Mr Bestuzhev. Other experts are warning that its flaws won’t be found unless testing is done outside of Apple labs. ‘It still won’t be perfect,’ Tom Group, security operations center manager with Rook Security, told USA Today. ‘Attackers and researchers will poke and prod at this implementation until a hole is found,’ he said.
‘One security concern is that there is at least one new participant in the payment transaction which creates another point of attack– the handset manufacturer and network operator,’ said Richard Moulds, vice president of strategy at Thales e-Security. ‘In the past the only participants were the merchant, the merchant’s bank and you own bank. ‘Apple is stating that it will not know the details of individual transactions which is very important but there is clearly the risk of attacks on the phone itself. No security measure is perfect and attackers around the world will now make cracking Apple Pay their number one challenge.’
Eddy Cue, Apple’s senior vice president of Internet software and services, said credit card information will be stored on the phone via a secure chip and payments will use a one-time security code. The Find My iPhone service can erase the data if the phone gets lost or stolen – cancelling a card will not be necessary. The service will be able to store Visa, MasterCard and American Express credit card information.
‘A cashier doesn’t see your name, credit card number or security code,’ when you pay with Apple Pay, Cue said. He also said Apple won’t track people’s financial data. Apple doesn’t know what you bought, where you bought it or how much you paid,’ he said. ‘That transaction is between you, your merchant and your bank.’
Contactless payment isn’t new: Retailers like Starbucks and McDonald’s already have their own contactless payment system in stores, and Apple Pay is similar to Google Wallet, which is available on Android smartphones and iPhones. But Apple Pay adds some security features and makes a digital wallet option more accessible for iPhone users. Retailers will need to invest in updating their cash registers and point-of-sale units. Apple said shops like Macy’s and Bloomingdales, drugstores including Walgreen’s and Duane Reade, and other stores including McDonald’s, Staples, Subway and Whole Foods are participating in Apple Pay.
But some of the largest retailers are not participating. Wal-Mart said it has no plans to participate. Amazon.com did not respond to a request for comment. And Target said it is currently participating only via its app. Gartner analyst Avivah Litah said the payment system will only succeed if major retailers get behind it. Apple’s security features are a plus for merchants, but it’s not clear if that will be enough. ‘It’s 50-50 if merchants will get on board,’ she said. ‘The security aspects are attractive, but it’s not clear if the security features alone are going to be enough of a selling point.’
IDC analyst James Wester said the move is in some ways Apple playing catch up to Google Wallet, but that the system uses Apple’s fingerprint technology is a plus. ‘It’s not that different than what other mobile wallets have done,’ he said. ‘The important part is that it’s Apple. We’ve been waiting for them to get into this.’ Ernest Doku, technology expert at uSwitch.com said: ‘Let’s hope Apple Pay works better than the tech giant’s first live event screening, which prompted some serious Twitter rage.’
Apple has been plagued with security concerns over recent weeks. Earlier this month, the firm admitted the theft of hundreds of celebrity pictures from its iCloud service. Apple said it was ‘outraged’ by the attacks, and added they were the result of ‘a very targeted attack on user names, passwords and security questions’. But the group added that none of the cases resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.