Security & Apple Pay
Is Apple Pay Vulnerable to Hacking? [Source: https://www.youtube.com/watch?v=Nf9iopf9Ars]
There are certainties in life. The sun will rise in the east and set in the west. And, rest assured, any Apple product you buy is going to be connected to every other Apple product currently on the market. But what about Apple Pay, the mobile payment service and digital wallet that the company unveiled in fall of last year? How does its connections to other Apple products help or hinder it?
Let's start at the very beginning. The initial idea behind Pay was to help consumers make payments using Apple mobile devices. Apple Pay would accomplish this feat by replacing the credit or debit magnetic strip at credit card terminals. Apple partnered with an array of blue-chip companies, including American Express, MasterCard, and Visa. At first, all seemed to be operating smoothly: Apple Pay worked with Visa's PayWave, MasterCard's PayPass, and American Express' ExpressPay terminals.
But in January of this year, DROP Labs, a mobile payments/commerce strategy and advisory practice, found that banking institutions were verifying users and cards over the telephone. They reported that fraudsters had successfully used Apple Pay as a conduit for transactions using counterfeit cards. While Apple Pay's inherent security mechanisms, such as tokenization and TouchID biometric authentication, had not been compromised, the tools and practices used to verify account holders and the cards being loaded to 'i-devices' appeared to be the weak link.
The fraud has more to do with identity theft than breaking into Apple's encrypted biometric payment service. The cyber-criminals are setting up new iPhones with stolen credit card information, then impersonating the victim using other information easily found online by social engineering, thus tricking the bank into thinking they are the authorized user in order to verify the new card. Given that criminals can easily purchase credit card details and other personal data off black market sites, it is a relatively easy scam operation compared to elaborate infiltrations of large retail chains like Target.
In the case of Apple Pay, it's interesting to note that banks are actually the ones doing the authentication, not Apple. And each bank can have its own method of authorizing cards. Naturally, banks want to make it easy and seamless for customers, but at times, it is a trade-off between usability and security.
Although banks are ultimately responsible for authorizing a card, they must also cross-check the recent activity of a certain card, along with information provided by Apple and then determine the course the action. Retailers (online or otherwise) should also ask for proof of identification at check-out. I believe Apple can play a more important role in the verification process. For example, at the time of signing up for Apple Pay, Apple should insist on an out-of-bounds second factor, one-time PIN issued by the bank to register a new card on an i-device. This one-time effort on the part of the user will ensure that Apple Pay remains secure, without compromising ease of use.
Apple already stands out in the crowd for seamless connectivity between its products. With an added layer of security for its devices (and new products like the Apple Watch), Apple's sun will continue to rise.