Is Apple Pay as Secure as Apple Intended It to Be?
Apple Pay continues to generate press and inspire change three months after its launch. But has it lived up to its promises, especially when it comes to security — a major drawing card for consumers? As Daisuke Wakabayashi reports for The Wall Street Journal, Apple Pay is making progress toward its first goal of convincing people to use it — much more successfully than previous efforts by Google, eBay, and an array of startups offering their own mobile wallets. Finance industry watchers attribute Apple Pay’s momentum to the popularity of its consumer gadgets, a major marketing push from banks and credit card issuers, and widespread security concerns following high-profile security breaches that exposed customers’ debit and credit card information.
With Apple Pay, instead of swiping a card and signing a receipt, users place an iPhone in front of an NFC reader and complete a transaction with fingerprint authentication through TouchID. The authorization of the transaction relies on a one-time code, and merchants never see the card number, reducing vulnerability. Apple Pay now has more than 45 partner banks and institutions.
McDonald’s and Walgreens, both early adopters of Apple Pay, reported that twice as many customers are now paying through wireless readers since Apple Pay arrived (though neither have disclosed how many use Apple Pay versus other payment services). Apple says that more than 220,000 locations accept Apple Pay, and that card issuers who are responsible for 90% of credit card spending support the service. While little has been disclosed about how widely the service is being used, trends appear to be positive, with Bank of America reporting that almost 800,000 customers signed up for Apple Pay in the fourth quarter.
Apple Pay is so far limited to the United States and works only on the latest generation of the iPhone and iPad. Only a small percentage of retailers have installed the requisite hardware to support payments from Apple Pay and other contactless payment systems, and still others that have the hardware have stopped enabling customers to use it as they wait for the mobile payments system to be introduced by a consortium of retailers.
Is Apple Pay as secure as Apple intended it to be?
Not all has been smooth sailing for Apple Pay, with recent reports claiming that its security may not be all that Apple had hoped it would be. And as Technology Review notes, security concerns are a major force that can derail the “boom” in payment technologies. Accenture surveyed 4,000 consumers in North America and found that while more people expect to use mobile payments, 57% were concerned about the security of such transactions, up from 45% two years ago. Apple Pay and Google Wallet use a system that creates a one-time token for each transaction, and sends that instead of the actual credit card information through the system.
Cherian Abraham of Drop Labs reports that credit card issuers keep losses from fraud to $0.10 or less per $100 of transactions for a rate of 10 basis points, or bps. Issuers hoped for lower rates of Apple Pay fraud — somewhere between 2bps and 3bps — considering security protections like issuer support during provisioning, NFC, tokenization, the tamper proof Secure Element, and TouchID. But it reportedly turns out that it’s much easier to commit credit card fraud with Apple Pay than Apple (and card issuers) had hoped. Drop Labs reports that one issuer’s fraud rate is 600bps, thanks to a security problem that has nothing to do with Touch ID, NFC, the Secure Element, or even stolen iPhones.
In his blog post, Abraham explains that all participating card issuers are required to create what’s called a “Yellow Path” for collecting additional bank information when provisioning a card into Apple Pay. Implementation has varied among issuers; when verification is required, customers could be directed to their issuer’s call center, be asked to authenticate through the bank’s mobile app, or be asked to authenticate with a two-factor code sent to the card owner’s phone, depending upon the policies of the card issuer. These methods work with varying levels of success and friction, but just a few issuers have opted to have customers authenticate through their mobile apps, and instead most opt for call-in authentication, which is much easier for fraudulent users to pass.
Card issuers are reportedly the weakest link with Apple Pay
Drop Labs characterizes issuers’ implementations of Apple Pay’s Yellow Path as “inadequate,” and posits that most of the fraud that has occurred so far in Apple Pay can be attributed to stolen identities — the one security problem that banks and card issuers should be most prepared for, especially when implementing a process to check if card use is legitimate. But instead, people are buying credit card numbers online, loading them on Apple Pay, and taking advantage of the fact that banks aren’t taking strong enough measures to verify that the card owner is actually the one using it in Apple Pay. The post explains:
For all the paranoia around elevating your phone to be the container for all your credit cards – fraud in Apple Pay has assumed more traditional and unsophisticated ways. No, iPhones weren’t stolen and then used for unauthorized purchases, TouchID was not compromised, Credentials weren’t ripped out of Apple’s tamper proof secure element – nor the much feared but rarely attempted MITM attacks(capture and relay an NFC transmission at a different terminal). Instead fraudsters bought stolen consumer identities complete with credit card information, and convinced both software and manual checks that they were indeed a legitimate customer.
Abraham explains that fraud on Apple Pay is unique in that Apple Pay setup is one of the first things that a user would complete upon getting a new iPhone — likely before he’s installed his card issuer’s app or given the device any context with the bank. Thus many banks have defaulted to requiring the customer to contact the call center to verify a card. For all of the focus on protecting transactions and physical cards, provisioning is both under-protected and easily compromised. Banks and card issuers can likely fix the problem by doing away with the call-in option, closing a vulnerability in Apple Pay’s security.
While MIT’s Technology Review reports that cash accounts for 55% of payments in the U.S., new technologies, including digital wallets, cryptocurrencies, and mobile peer-to-peer payments, are beginning to tip the balance and accelerate the move away from cash. Some technologies, including Apple Pay and LoopPay, run on top of the payment networks that are owned and operated by banks and credit card companies, and are designed to make those established systems faster, more convenient, or more secure — and to convert transactions that are now being done in cash.
Banks and credit card companies have seen their positions strengthened by recent developments. Unlike earlier innovations like Google Wallet and PayPal, Apple Pay doesn’t try to attempt players like Visa and Bank of America. In users’ wallets in Apple Pay, they use exactly the same card as they have in the wallet in their pocket. LoopPay’s digital wallet, which can be used in many more terminals than Apple Pay thanks to the copper loop technology it uses to simulate a card’s magnetic strip, also relies on the existing credit card system.
Apple Pay and systems like it will continue to make gradual changes in the ways we pay, and security provisions at every step of the process will become more important than ever in making sure that customers’ information and payments are as secure as possible.