Thursday, 11 September 2014

Apple Pay ... Is it secure?

On the 9th September 2014, Apple finally announced two new iPhone models: iPhone 6 and iPhone 6 Plus. I won't go into any detail of the features they offer, because it looks like a lot of people have already talked about them.

However, there is one feature that I am particularly interested in. The Apple Pay. From what I have seen of it, it looks very convenient.

For now, let's look briefly at how it works. (Thanks TechCrunch for the video.)


Wow! Quick and convenient! What more can you ask for?

One question that instantly came to mind when looking at the demo of this sort. Is Apple Pay secure?

In order to answer this question, let us think about the technology involved in this. The first thing that makes this work is the NFC technology. Secondly, the credit card detail is required to be stored on the phone. Thirdly, the fingerprint of the user.

Let's analyse. Well, I will just do whatever I can here. haha!

First of all, the NFC technology is an integral part of this Apple Pay. Without it, no communication between the phone and the point-of-sale is possible. What information is to be transferred between them? Of course, the user's credential information. You should be asking questions right about now. ...

Apple said nothing at the event about how the communication takes place, and more importantly, how the communication is to be made secure. Why not? I don't really know.

NFC's range is said to be no further than 20 cm, which may be enough to prevent any information interception (during the payment by a person in line next to the payer). However, remember that 20 cm is just an estimate. Therefore, it is still possible that the information can travel a little further than expected. If this happens then we may be in trouble.

NFC's standard is the ISO14443, which does not appear to have a part on security! It is, therefore, up to Apple to answer how they have made the communication between the phone and the point-of-sale secure.

The next thing is that after using the Apple Pay to pay for anything, does the NFC get automatically turned off? If not, it means that a communication channel is left open to anyone to try to get into the phone (albeit to be within the communication range is not that easy, but still not impossible).

So ... the first component of Apple Pay, the NFC, still leaves a question.

The second aspect of Apple Pay is the storing of credit card information. Yes, it is neccessary to do so otherwise this would not work. Anyway, it was good to hear Apple say that the information is to be encrypted by Apple's "secure element" (no real algorithm has been mentioned). Another thing that was pleasing to hear is that no information will be sent to the Apple server. Good good. Personally, I do trust that Apple can do a good job in securing the information on the iPhone for us, provided that we do not lose the phone! haha!

Still, how the credit card information is securely sent to the point-of-sale for verification remains to be answered. This is actually back to the NFC question.

The third component to be discussed is the fingerprint. Apple has taken the advantage of having the fingerprint scanner on the iPhone here. Clever. I quite like the idea of using biometric as a factor of authentication. At least, it is better than using a pin code, which can easily be stolen.

Speaking of stealing, I think one of the reasons Apple decided to use fingerprint as a factor of authentication is to at least make it more difficult to use the Apple Pay when a phone is lost or stolen. But ... let's not forget that fingerprint can also be faked! This is how. (A few years ago, I had students in my information security class research on this exact topic, too. Interesting it was.)

One final point ... Apple Pay uses credit card information and user's fingerprint for verification and authentication purposes. Is this a two-factor authentication? Not sure, but it looks like a single-factor authentication to me (credit card information not being a factor since another person can easily transfer the information using the same phone), at a glance here. Hmmm ... one-factor authentication. I'm sure I have heard that there are problems with this. hehe! At least another factor should really used, I think.

Why don't they use their Apple Watch as a second factor of authentication? Just a funny idea ... haha!

On the whole, the idea of Apple Pay is to provide convenience to users. Some security questions remain to be explained, especially the security of data transfer via NFC. The final question is "would people use it because it is convenient despite some security doubts?".

No comments:

Post a Comment