How secure is Apple Pay?

By Madhvi Mavadiya | 20 July 2015

After news of Apple Pay launching in the UK last week, it poses the question: how secure this application is and what risks customers will have to endeavour as this system gains popularity?

Banking Technology explains that in order to use the application, customers have to register a debit or credit card and a Device Account Number is assigned, encrypted and securely stored in the Secure Element of the device. Instead of saving the actual card number, each transaction is authorised by a one-time unique security code.

Despite this, some consider making mobile payments avaliable to more people as an encouragement for hackers. Data science consultancy Profusion’s chief executive, Mike Weston, believes that retaining personal information on devices is frightening to think about.

When this information is combined with our browsing habits, social media profiles and location (via GPS on our phones), it paints a very vivid picture. As the terms and conditions linked with using applications like Apple Pay essentially gives Apple carte blanche to use the data they gather, it puts a lot of power in its hands,” Weston told The Independent. Weston continued to highlight that although we must assume that personal information is being used appropriately by Apple, it is unsettling how one corporation may know more than the Government, bank and security services do.

Business Insider mentions that it is the big product launches that actually encourage hackers to experiment and compete with others to jailbreak security measures. There is a large jailbreaking community that target Apple and attempt to remove controls in place that would prevent users from downloading applications from third party stores.

Business Insider also remarks that “we’re still yet to hear about a successful scam or proof of concept attack targeting the platform.” CTO of network security company FireEye, Grady Summers, said that there are three reasons why a scam has not occurred, which include how Apple Pay does not store card information and encrypts the data during transactions. Alongside this, it protects against identity theft as payments are made using iPhone’s Touch ID scanner.

Summers also said that the fingerprint authentication made it near impossible to hack into point of sale terminals. “Apple’s use of fingerprint authentication adds another layer - a thief can’t use a stolen PIN with your card; they’d need to somehow steal your fingerprint, which is difficult to do though not impossible,” Summers said.

This means that hackers will need to create new technology so that they can surpass the fingerprint restrictions, but Summers believes that the hackers would focus more on the merchant, rather than the customer and not waste time creating this new jailbreaking system.

Robert Arandjelovic, director of Blue Coat Systems, thought the same and said to Business Insider that the upfront cost required to target the application will be off-putting for hacker groups. “Return on Investment (RoI) is key to whether they will carry out an attack on Apple Pay because there is no point in spending time trying to break the system or stealing credit card details if the effort is not covered by the pay-out,” Arandjelovic told Business Insider.

Although there have not been any reports of Apple Pay hacks as of yet, when the US version was launched in October last year, fraudsters were adding stolen card details to their devices and stole via the point of sale terminals.

Late last week, however, there was news of UK Apple users receiving a pop up message when accessing the Safari browser, which tells them that their device has crashed and in order to fix the problem, they must call the number displayed. This is a message similar to that which was circulating in the US in November 2014, which questions whether there is any correlation between the adoption of Apple Pay and this pop up message.

iPhone users are advised to press the home button, turn on flight mode and clear data and cookies if the message appears, according to The Independent.


Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development