Apple Pay – just how safe is it going to be?‏

September brings many things.

There’s an equinox, a Harvest/Spring Moon, the makings of the start of winter/summer, the shift from the wet/dry to the dry/wet season…

…and Apple’s big annual new product announcement day.

Apple Live 2014 was CEO Tim Cook’s first time at bat with a brand new product to announce, the Apple Watch (not, as we blithely wrote here at first, the iWatch), and he doesn’t seem to have disappointed Apple fans.

As well as the Watch, there’s a free U2 album for all iTunes users, the iPhone 6/6 Plus and, perhaps of most interest to security watchers, Apple Pay.

Only the U2 album is actually available right now; the other products will be appearing in days (iPhone 6), weeks (Apple Pay) and months (Apple Watch), at least in the USA.

Apple Pay

Like Google Wallet, introduced in 2011, Apple Pay is taking aim at the “tap-to-pay” market, using Near Field Communication (NFC) technology that pretty much turns your mobile phone into a NFC-enabled payment card.

Unlike a traditional magstripe or Chip-and-PIN based card, NFC chips use radio waves so they can work without contact.

You don’t have to swipe your card past a tape-recorder-style magnetic head to read data off it, or poke it into a slot where metal contacts touch the chip and temporarily wire it into a circuit.

NFC chips – you probably have one in your passport or your train ticket, and perhaps in your credit card – have an antenna that also acts as a magnetic coil.

When you wave the chip near an electromagnetic field, the coil produces just enough current to wake up the chip so it can engage in a communication exchange with the NFC reader, and, in a word, “Bingo.”

Near Field Communication!

→ If NFC sounds like an extension of RFID (radio frequency identification), don’t be surprised. NFC emerged from RFID, and NFC readers can trigger and receive data from compatible RFID fobs, tokens and cards. Note that a Chip-and-PIN payment card that supports tap-to-pay actually has two chips: the NFC chip-plus-antenna is sealed inside the card, and is physically separate from the Chip-and-PIN circuitry that breaks the surface as a rounded rectangle of metal contacts on the top of the card.

The burning question, of course, is why would you use your iPhone 6 or your Apple Watch (or, for that matter, your NFC-enabled Android device) for tap-to-pay purchases when you probably already have, or could ask your bank for, a credit card with an NFC chip inside it.

Why entrust your credit card details to yet another company, under yet another set of terms and conditions, just so you can get out your phone to pay for your coffee instead of getting out your credit card?

Apple has the answers

Apple certainly thinks it has the answers, notably including some of the answers that Google didn’t have when it launched Google Wallet.

It’s all in the convenience, the workflow and the security.

Yes, says Apple, the security.

After all, many Apple customers are already comfortable with:

  • Trusting Apple with a vast portion of their digital lives, through iCloud.
  • Making online credit card payments via Apple, through iTunes and the App Store.
  • Unlocking their devices with the iPhone’s fingerprint scanner.

So, if you’re an Apple fan who’s already into using the NFC chip in your credit card to tap to pay for low-value items like coffees, newspapers, lunch-time sandwiches, car parking and the like…

…chances are that you’ll love Apple Pay.

You don’t actually store your credit card data on your iPhone.

You merely store a cryptographic equivalent in the NFC chip’s secure memory, and this is used to authorise Apple to authorise your payment provider to bill your account.

So there is no copy of your credit card data, stored or used, that could be extracted, RAM scraped or skimmed by a crook, as happens in traditional credit card breaches. (Even Chip-and-PIN cards typically have a fallback magnetic stripe that can be skimmed to reveal data that a crook could misuse in subsequent online transactions.)

And there’s extra safety compared to using your NFC credit card: on the iPhone, you’ll need to tap to pay with your finger on the fingerprint scanner.

So even if someone steals your unlocked phone, chances are they won’t be able to tap to pay in place of you.

That’s not the case with an NFC credit card, which has no way of deciding whether you or a thief is holding it.

Yet the fingerprint scanner approach is much more convenient than having to unlock your phone with a PIN or password before tapping it, which is no faster (and perhaps even more cumbersome) that just doing a regular Chip-and-PIN transaction.

And when Apple Pay goes live, it will already support several credit cards, numerous banks, many stores and not a few apps, too.

Sounds good, doesn’t it?

The end of skimming?

You can’t be skimmed or carded; you never have to let checkout staff touch, or even see, your card, or your name, or that magic CID/CVV2 code printed on it; thieves can’t rush into a shop and tap your phone to buy stuff like they could if they stole your NFC credit card; and chances are you’ve already uploaded your credit card data to Apple for iTunes or the App Store.

So, what could possibly go wrong?

As far as we can see, the key issue is that your Apple Pay information is tied to your Apple ID, just like the rest of your iCloud data.

In other words, exactly the same security shortcomings in iCloud that led to the recent stolen nude celebrity photo scandal might be a path to the outright theft of your digital wallet.

You wouldn’t want to risk welding your digital wallet to one and only one iPhone.

What if you dropped it in the harbour, reversed over it in your garage, or, for that matter, had it stolen?

Even if you were to wipe it immediately to stop a crook misusing it, you wouldn’t want to lock yourself out of your digital life altogether.

So Apple lets you as good as clone your device, and all your data, by restoring a new device via the iCloud service.

One-factor authentication

As we’ve recently discussed, a single factor of authentication, your Apple ID password, is enough to “recreate” a lost iPhone, populated with data from your iCloud backup.

Apple has an SMS-based two-step verification system that can make your Apple ID password useless on its own, but it isn’t used with iCloud.

That’s a security shortcoming that we hope Apple fixes soon.

Indeed, as far as we can see, the same shortcoming that helps cybercriminals to steal your selfies, your calendar data, your contacts and so on will help them to make what is effectively a clone of your Apple Pay device.

The good news is that Apple does presently require you to go through two-step verification for your first purchase from a new device.

So a crook ought not to be able to start buying things on your account in the same way that he can currently start riffling through your personal photos after an illicit iCloud recovery.

Nevertheless, we still think two-step verification should kick in earlier in the “restore my device” process, whether that’s a new device you’re setting up, or a factory-reset device that Apple has seen you use before.

So we’re repeating our poll in which we urge you to vote to ask Apple to offer an extra level of security – a second step of verification, in fact! – that will remove some of the so-called frictionlessness in retrieving your personal data from iCloud.

Friction has its place – ask anyone who has ever tried to stop a moving car.

Image of faux credit cards courtesy of Shutterstock.