Sophos Cloud Optix
September brings many things.
There’s an equinox, a Harvest/Spring Moon, the makings of the start of winter/summer, the shift from the wet/dry to the dry/wet season…
…and Apple’s big annual new product announcement day.
Apple Live 2014 was CEO Tim Cook’s first time at bat with a brand new product to announce, the Apple Watch (not, as we blithely wrote here at first, the iWatch), and he doesn’t seem to have disappointed Apple fans.
As well as the Watch, there’s a free U2 album for all iTunes users, the iPhone 6/6 Plus and, perhaps of most interest to security watchers, Apple Pay.
Only the U2 album is actually available right now; the other products will be appearing in days (iPhone 6), weeks (Apple Pay) and months (Apple Watch), at least in the USA.
Apple Pay
Like Google Wallet, introduced in 2011, Apple Pay is taking aim at the “tap-to-pay” market, using Near Field Communication (NFC) technology that pretty much turns your mobile phone into a NFC-enabled payment card.
Unlike a traditional magstripe or Chip-and-PIN based card, NFC chips use radio waves so they can work without contact.
You don’t have to swipe your card past a tape-recorder-style magnetic head to read data off it, or poke it into a slot where metal contacts touch the chip and temporarily wire it into a circuit.
NFC chips – you probably have one in your passport or your train ticket, and perhaps in your credit card – have an antenna that also acts as a magnetic coil.
When you wave the chip near an electromagnetic field, the coil produces just enough current to wake up the chip so it can engage in a communication exchange with the NFC reader, and, in a word, “Bingo.”
Near Field Communication!
→ If NFC sounds like an extension of RFID (radio frequency identification), don’t be surprised. NFC emerged from RFID, and NFC readers can trigger and receive data from compatible RFID fobs, tokens and cards. Note that a Chip-and-PIN payment card that supports tap-to-pay actually has two chips: the NFC chip-plus-antenna is sealed inside the card, and is physically separate from the Chip-and-PIN circuitry that breaks the surface as a rounded rectangle of metal contacts on the top of the card.
The burning question, of course, is why would you use your iPhone 6 or your Apple Watch (or, for that matter, your NFC-enabled Android device) for tap-to-pay purchases when you probably already have, or could ask your bank for, a credit card with an NFC chip inside it.
Why entrust your credit card details to yet another company, under yet another set of terms and conditions, just so you can get out your phone to pay for your coffee instead of getting out your credit card?
Apple has the answers
Apple certainly thinks it has the answers, notably including some of the answers that Google didn’t have when it launched Google Wallet.
It’s all in the convenience, the workflow and the security.
Yes, says Apple, the security.
After all, many Apple customers are already comfortable with:
- Trusting Apple with a vast portion of their digital lives, through iCloud.
- Making online credit card payments via Apple, through iTunes and the App Store.
- Unlocking their devices with the iPhone’s fingerprint scanner.
So, if you’re an Apple fan who’s already into using the NFC chip in your credit card to tap to pay for low-value items like coffees, newspapers, lunch-time sandwiches, car parking and the like…
…chances are that you’ll love Apple Pay.
You don’t actually store your credit card data on your iPhone.
You merely store a cryptographic equivalent in the NFC chip’s secure memory, and this is used to authorise Apple to authorise your payment provider to bill your account.
So there is no copy of your credit card data, stored or used, that could be extracted, RAM scraped or skimmed by a crook, as happens in traditional credit card breaches. (Even Chip-and-PIN cards typically have a fallback magnetic stripe that can be skimmed to reveal data that a crook could misuse in subsequent online transactions.)
And there’s extra safety compared to using your NFC credit card: on the iPhone, you’ll need to tap to pay with your finger on the fingerprint scanner.
So even if someone steals your unlocked phone, chances are they won’t be able to tap to pay in place of you.
That’s not the case with an NFC credit card, which has no way of deciding whether you or a thief is holding it.
Yet the fingerprint scanner approach is much more convenient than having to unlock your phone with a PIN or password before tapping it, which is no faster (and perhaps even more cumbersome) that just doing a regular Chip-and-PIN transaction.
And when Apple Pay goes live, it will already support several credit cards, numerous banks, many stores and not a few apps, too.
Sounds good, doesn’t it?
The end of skimming?
You can’t be skimmed or carded; you never have to let checkout staff touch, or even see, your card, or your name, or that magic CID/CVV2 code printed on it; thieves can’t rush into a shop and tap your phone to buy stuff like they could if they stole your NFC credit card; and chances are you’ve already uploaded your credit card data to Apple for iTunes or the App Store.
So, what could possibly go wrong?
As far as we can see, the key issue is that your Apple Pay information is tied to your Apple ID, just like the rest of your iCloud data.
In other words, exactly the same security shortcomings in iCloud that led to the recent stolen nude celebrity photo scandal might be a path to the outright theft of your digital wallet.
You wouldn’t want to risk welding your digital wallet to one and only one iPhone.
What if you dropped it in the harbour, reversed over it in your garage, or, for that matter, had it stolen?
Even if you were to wipe it immediately to stop a crook misusing it, you wouldn’t want to lock yourself out of your digital life altogether.
So Apple lets you as good as clone your device, and all your data, by restoring a new device via the iCloud service.
One-factor authentication
As we’ve recently discussed, a single factor of authentication, your Apple ID password, is enough to “recreate” a lost iPhone, populated with data from your iCloud backup.
Apple has an SMS-based two-step verification system that can make your Apple ID password useless on its own, but it isn’t used with iCloud.
That’s a security shortcoming that we hope Apple fixes soon.
Indeed, as far as we can see, the same shortcoming that helps cybercriminals to steal your selfies, your calendar data, your contacts and so on will help them to make what is effectively a clone of your Apple Pay device.
The good news is that Apple does presently require you to go through two-step verification for your first purchase from a new device.
So a crook ought not to be able to start buying things on your account in the same way that he can currently start riffling through your personal photos after an illicit iCloud recovery.
Nevertheless, we still think two-step verification should kick in earlier in the “restore my device” process, whether that’s a new device you’re setting up, or a factory-reset device that Apple has seen you use before.
So we’re repeating our poll in which we urge you to vote to ask Apple to offer an extra level of security – a second step of verification, in fact! – that will remove some of the so-called frictionlessness in retrieving your personal data from iCloud.
Friction has its place – ask anyone who has ever tried to stop a moving car.
Image of faux credit cards courtesy of Shutterstock.
Just a small note to your great article: the new watch is officially called the Apple Watch, not the iWatch. Could be relevant for folks looking for this article using a search engine.
Hmmm. Indeed it is. In fact, the blurb just says “Watch.” And the logo version (where they have the product name next to the Apple logo) actually says “WATCH.”
Thanks for pointing that out…I’ll make the needed edits. With the all-new products being “Pay” and “Watch,” maybe we’re entering the i-less era?
People are speculating why they dropped the “i” from the Watch, but from your comment, I just realized that “iPay” would have been even worse!
Nice article, but I think it is a little incorrect.
It’s assuming fingerprint and CC hash is backed up to iCloud/iTunes/Apple. I believe this is not the case as per Apple’s documentation (http://support.apple.com/kb/HT5949).
Restoring to a new device would require setup of prints and CC again.
Good thinking. But as far as I can see, the article you link to doesn’t deal with the credit card issue, only fingerprint registration.
I suspect your stored CC data *will* be remembered by Apple between restores, so you will not need to register your credit card again. (As far as I know, it is certainly retained between iCloud restores right now, because our own Chester Wisniewski was able to do an iCloud backup from a phone, restore it onto a Mac and then buy software from the App Store without re-entering his payment card details. In fact, because he had used that Mac in the past with the same Apple ID, he didn’t even need to go through two-step verification.)
As for re-registering your fingerprint….well, a crook with his own device would just register *his* fingerprint instead to unlock his device. (If Apple isn’t retaining the previous fingerprint data, then it can’t watch for fingerprint changes, no matter how suspicious that might seem 🙂
But that would, I assume, be an account configuration change, and IIRC *that* would require two-step verification.
Yes, the article I linked was about the print, there doesn’t appear to be any public kb’s for Apple Pay specifically yet.
To use an already stored CC (say the one linked to your Apple ID) you would have to put in the full number on the device for it to be able to generate the “Account ID” hash actually used in payments, the CC number itself is not stored. There’s also the confirmation with the card issuer required before it’s authorized for Apple Pay purchases (that’s what Apple’s has said at least). A thief can add their own print sure but re-using your CC for purchases would be a bit trickier I imagine without the full digits.
That isn’t to say your stored CC could be re-used on the App Store and iTunes but that’s already the case today pre-NFC purchases.
But didn’t Apple claim that all secret payment information is stored in the new “Secure Element”? I think it’s fair to assume that the private keys remain solely in that HSM and are not part of the backup data (be it local or iCloud).
If you needed to restore your device due to a software problem or system update, then the private keys would still be in the Secure Element. If an attacker restores your backup to another device, then this device’s Secure Element wouldn’t have the keys to authorize payments.
That of course means you would have to re-register all your cards if you switch to a new device.
So what’s to stop people putting a second NFC reader with a stronger range next to the actual one and hijacking the payment?
Well in most cases you are buying something there and then so the vendor would know you hadn’t paid for the goods – it wouldn’t show on the till or the ticket barrier wouldn’t open etc. Also if you’ve ever paid with your PayWave(tm) card for anything you’ll know it has to be pretty darned close to work, regardless of the specifications. In your scenario it would be easier to stand in the street with an NFC card reader and charge for a “standing aside” service or something similar than to hijack a known transaction. That would possibly work on a dumb NFC card but NOT on an Apple device of course.
Along with saxonrau’s arguments, there’s also the fact that you aren’t getting the card number, you’re getting a signed one-time key. Since the second NFC reader isn’t going to have the same private key as the official reader, the data passed to it will be essentially useless, as it will be unable to negotiate the key with a payment processor.
However, there’s nothing to prevent EXTRA payments from being processed, and payment via NFC is between the cardholder and the merchant, not between the issuing bank and the merchant — so in this case, a second NFC reader properly registered with a processor and a merchant bank could make quite a bit of money before the account was shut down. This is actually somewhere where the short range of official readers is a downfall, as a stronger antenna in proximity will have no difficulty overriding the official reader. The security once again comes down to access to private keys that will let the rogue reader authenticate with the payment processor.
Apparently your iPhone (or non-i Watch) will give some sort of visual or tactile feedback (e.g. vibrate) to indicate that the NFC exchange has happened and succeeded, which I suppose is another benefit over using a regular NFC card. If there is a double transaction you will, I assume, have a fair chance of noticing because you’ll get a double signal.
NFC technology is already causing serious problems for some. People with such cards are finding that the card is being debited even though it was still in their wallet/purse and not being ‘waved’ near the reader. In London, the Oyster card (an NFC payment method used for London Underground, etc) is being skimmed when people only walk near the reader so being charged for journeys they didn’t take, etc. The same is possible with similar systems based on mobile prones, watches, etc.
The whole concept sounds attractive but is flawed if the NFC device can be read without the owner’s intentional and deliberate actions causing it to be used/debited. Where are the safeguards that allow the user to confirm that they really do wish to pay for the goods or services being charged for? There’s certainly no 2FA in the system!
The only safe way to have such a card is to keep it in a metal box so it can’t be unintentionally ‘read’ by a device nearby without the conscious and deliberate act by the owner of exposing it to the reader.
So the iPhone or WATCH would be more secure because it would need confirmation on the device screen… Dumb cards are certainly a liability even in legitimate transactions because once you have more than one of them you can’t just wave your wallet – you have to extract the card you want to use.
The 2FA is the use of the fingerprint reader on the phone.
From my understanding the CC with NFC is being skimmed because the card doesn’t require anything before it puts out a signal. The iPhone may recognize the request from the signal but it won’t put anything out will it? It would require the user to use the touch ID before anything is enabled. Hence rendering NFC skimmers useless. Also if I remember correctly they said in the Keynote that it is a one time randomly generated payment sent through NFC to the recipient (retailer, fast food, etc..) so even if a skimmer picked that up it would be rendered useless again right? Even if they tried to use the payment to redirect to themselves they wouldn’t be recognized as the proper recipient of the payment. Obviously we will know more in detail with the release of Apple Pay but right now it would seem it’s almost the the most secure way for payments. Given like Ducklin said they have two step or something, like stated above by Yang, in place to secure your Wallet when you go to restore it.
Even that’s not safe. The only way even close to safer is to have a button you must depress (or other switch) in order to activate it. Even that’s not foolproof, but it’s better than now.
How safe will it be…? That’s a very good question and I believe that it all depends on what camp you’re in. There are the Apple-nistas’ who already think this thing is the best thing since the iPhone itself which was the best thing since the iPod which was the best thing since sliced bread. Then there are those who want to wait and see what happens. Personally I won’t use it regardless of if it’s Apple, Samsung or some other device maker. And no I’m not hating on Apple… I’m just PO’d at them because yesterday I found out that I have an iCloud account, and so do you if you have an iPhone.
Yesterday or Tuesday, Apple pushed a “free” download of U2’s new CD to every iTunes account. Well, you can’t remove or delete it, you can only “Hide these items in the iCloud”… so in my mind, if they will do this, and they do require a credit card for iTunes accounts, what else can\will they do? I only use this phone for work and needed the iTunes to activate it and load the required apps we have in the iStore or whatever the hell it’s called.
Anyway, I’ve vented enough, sorry. No I will not use a device like this.
What a bunch of evil crooks – forcing you to have the opportunity to listen to a free brand-new album from a world-famous band for absolutely no money. You are quite right not to trust them – it’s very suspicious that they would give something like that away.
…I wonder what else they’ve “given away” that we don’t know about.
I think you missed the point completely: If Apple can push free content to you, with this device they can also push paid content to you (or worse), and you won’t know it until you examine the bill.
What an absurd assumption to base an article of pure speculation on. Your colleague was able to use his card in the app store because the details are stored as part of his iTunes account, not on his phone.
So…Apple has your CC details as part of the data protected by your Apple ID. For many Apple Pay early adopters, this will probably be the same CC details they choose to use with Pay.
So it’s not impossible that your device’s NFC chip could be prepped automatically from data known to iCloud, without you needing to type in your card data again, and without the CC data ever actually getting stored on your phone.
It’s a key concept in security that there is no such thing as total security: what man can make, man can break.
UK is near totally chip-and-pin and it’s much more secure than the old swipe-and-sign. But it still gets attacked. Look over my shoulder in a shop for the PIN, then pick pocket my card a few minutes later. Install a fake keyboard on an ATM for my PIN and jam the slot to retain my card. etc. etc. etc.
They can’t do any of those with apple’s concept.
I don’t think hacking iCloud will break the payment system – as I understand it, the payment ‘token’ will reside in the secure enclave on the phone, therefore not backed up to iCloud. If you lose or wipe your phone, your card will need verifying again – no big deal.
Bumping you, like with oyster cards, won’t work – it needs you to authorise with fingerprint. Scared of Apple? Don’t make sense, they already have my real credit card details.
Will it be totally perfect? I doubt it as a matter of principle. But I do think apple’s new scheme looks to be another step UP in security from my current credit card. If it turns out to be widely adopted and convenient, I’ll use it.
Interesting comment here:
“As far as we can see, the key issue is that your Apple Pay information is tied to your Apple ID, just like the rest of your iCloud data.”
You then make a tenuous leap to the Apply Pay being compromised via an iCloud account vulnerability. This would assume that Apply Pay information is being stored in iCloud, or that the iCloud account could be used to compromise the device in some way.
Apple explicitly states, on their website, however:
“With Apple Pay, instead of using your actual credit and debit card numbers when you add your card, a unique Device Account Number is assigned, encrypted and securely stored in the Secure Element, a dedicated chip in iPhone. These numbers are never stored on Apple servers. And when you make a purchase, the Device Account Number alongside a transaction-specific dynamic security code is used to process your payment.”
So, the token is not only device specific, it is never stored in the cloud, but only in their ‘secure enclave’ on the device itself. While I have no doubt that security professionals will do their utmost to find holes in Apple Pay (and may find some) it seems that the iCloud angle is not likely to be one of those holes.
While I agree with you generally that iCloud struggles from some security challenges, I think on the other side Apple has done a tremendous service to the payment industry here by driving what appears to be a widespread tokenization solution, which is a BIG deal. Tokenization dramatically reduces the risk of credit card number theft and ongoing fraud, by specifically eliminating the storage and transference of credit card numbers, replacing them with tokens which are device, merchant and transaction specific. Tokenization has traditionally been a very complex thing for merchants and developers to adopt, and if Apple through their initiative makes it easier, or more widespread, it will benefit everyone.
The example you make in your comment about Chet reusing his Apple ID between devices is distinctly different – that’s Apple ID, used for purchases on their stores, ties into the credit card number they DO store in the cloud associated with your iTunes account. It will be interesting to see if they start migrating their Apple ID stored cards to some form of token in the future, as this does represent a separate weakness.
It does seem as though the cards you “upload” for tap-to-pay can be used only from the device on which you “upload” them. (I think I’d type in the numbers rather than use Apple’s “let us OCR a photo of you card” app, just so there isn’t a photo that might lie around for later.)
Ergo it does indeed look as though there is no “backup and restore” process for Apple Pay, whether via iCloud or any other means. Ergo to clone your Apple Pay ecosystem onto another device so he didn’t need your credit card details, a crook would need your credit card details.
A few weeks to wait and then we ought to know just how separate iCloud, Apple ID, iTunes, App Store and Apple Pay really are…
…after all, this *is* Apple, which officially announced its two-step verification would better secure your iCloud account, although turned out to be a different sense of “better” (and, for that matter, of “secure”) than I suspect you or I might think 🙂
Apple does not have any credit card information of mine. I have used gift cards for credits.
As Apple Pay will involve billions of dollars, hackers are already salivating about the potential to steal. You better believe they will find ways around Apple’s security. Use it at your own risk.
My fingerprint that I started with quit working and so I did another one and deleted the first one so now my Apple Pay doesn’t work!! Now what do I do?