Yesterday Apple announced Apple Pay, a payment mechanism that will be available on the iPhone 6, iPhone 6 Plus, and Apple Watch. While the convenience of such a feature is tempting, how do we know if we can trust it? To answer this, let's take a look at what we know about Apple Pay's security so far.
The iPhone 6, iPhone 6 Plus, and Apple Watch will all include NFC chips. NFC — which stands for near-field communication — is a set of standards that mobile devices can use to communicate with each other via radio communications. It's somewhat similar to Bluetooth LE but, among other differences, only works over very short distances (generally 10 cm or less), making it ideal for things like mobile payments. NFC isn't anything new — credit cards and Android phones have been using it with limited success for several years now — but this is the first time Apple has included it in one of their devices.
NFC is not inherently secure. The standards that define NFC do not lay out any specification for how NFC transmissions should be secured. Often times they are not. It's not currently clear what, if any, security implementation Apple will be using to encrypt NFC transmissions between devices, but we'll see shortly why this shouldn't really matter.
With NFC credit cards, simply holding the card up to an NFC card reader is enough to initiate a payment. The downside to this approach is the cards are always in a readable state. There's no difference between you legitimately holding your card up to a card reader, and a criminal holding an NFC reader up to your butt to read the cards in your wallet. Enter the iPhone's first advantage: Touch ID. You begin an NFC payment by holding your iPhone up to an NFC card reader, but that only initiates the payment. iOS will then prompt you to confirm the payment using Touch ID. If you don't confirm the payment with Touch ID, then it will not go through. Additionally, once a payment has occurred, you receive a notification on your iPhone that the payment has taken place.
The Apple Watch will not have Touch ID, so how does it fit in to Apple Pay? Before you can make a payment with an Apple Watch, you'll have to unlock it with a passcode. Once unlocked, the Watch will only be able to make payment while it is in contact with your wrist. If the sensors on the back of the watch detect that it is no longer in contact with your skin, a passcode will need to be entered on the Watch again before it can make any more purchases. Finally, any time you go to make a payment, you'll be required to press the button on the side of the Apple Watch twice to confirm your payment. Once again, this helps protect against payment information being read just by an attacker getting in close proximity to you.
Paying within apps
In addition to making payments at NFC-equipped point-of-sale systems, Apple Pay will also bring the ability to pay for physical goods within apps. Until now, developers have been allowed to sell in-app purchases for premium in-app content, virtual goods, and subscriptions. Developers could not, however, charge users to purchase physical goods, or goods and services outside of the app. This led to frustrating experiences for users where you'd have to manually enter all of your credit card information into an app when wanting to make a purchase. With Apple Pay, buying physical goods can now be as easy as in-app purchase. In addition to Target, whose app Apple used to demonstrate Apple Pay during their presentation, Apple has also announced that other big names such as Groupon, Panera Bread, MLB.com, Starbucks, and Uber will also support Apple Pay in their apps.
The current ecosystem requires you to enter your full credit card information into an app which means you're trusting both the app and a server to both transmit and store your credit card information securely. With Apple Pay, neither the app nor the merchant ever see your credit card information. To understand how this can be, first we need to step back and discuss how iOS will hold your information.
Passbook and the Secure Element
To set up Apple Pay, Passbook will use your iPhone's camera to capture your card information (Note that Apple carefully chose the word capture. They did not say that you take a photo of your card). Apple will then take this data, go to your bank, and verify that the card belongs to you. Most systems will authorize a payment on your account for a very small amount, then require you to correctly enter the value of that amount — proving you have access to that account — but Apple hasn't yet revealed the details of their process. Once your card has been authorized, instead of storing your credit card number, iOS will use a unique Device Account number that is encrypted and stored in the iPhone's Secure Element. The details on the Secure Element are limited, but we know that it will be a dedicated chip on the iPhone tasked with storing this information.
When you go to make an actual payment, what's transmitted is a combination of a one-time payment number along with a transaction-specific dynamic security code. This seems to be Apple's implementation of tokenization) for credit card payments. With tokenization, rather than sending your actual credit card number, a token representing your card's original data is sent to the payment processor. The payment processor can then de-tokenize your information to map it back to your original card number. In short, your credit card number is never transmitted to merchants with Apple Pay. This one-time token can only be used once, drastically limiting the impact to a user if it is somehow intercepted.
And should your iPhone ever get stolen, payments can be suspended via Find My iPhone. One long-standing caveat to this is that Find My iPhone requires an Internet connection to work. The normal means to elude Find My iPhone are still available — notably enabling airplane mode — but this would also disable NFC. Even if a thief manages to disable all network connections while keeping NFC enabled, Apple Pay will still require Touch ID to make payments, making the process more involved for criminals than just holding your phone up at a POS.
Your private transactions stay private
While your most recent purchases will show up in Passbook, Apple has said that your payments are private, and they do not store details of your transactions. Additionally they point out that with Apple Pay, you no longer have to disclose your personal information to cashiers. Using a normal card, you give a cashier your credit card number, name, and security code. With Apple Pay, they don't see any of that, further reducing opportunities for your card information to be compromised.
Apple Pay and iCloud security
I've seen a number of people and publications comment on how could we possibly trust Apple with credit cards after the celebrity photo theft last week. We know now that the iCloud accounts in question were compromised by successfully answering security questions on the accounts; not by any misconfiguration or weakness in Apple's servers. iCloud Photos are also fundamentally different in that they're transmitted to remote servers for storage, from where they were retrieved. Apple Pay handles credit card information completely differently. It's good to be skeptical and ask questions, but what we don't need are more straw man arguments.
Ultimately the question is, how does Apple Pay security compare to credit cards? By all accounts, it seems to win.
- Apple authorizes that your cards belong to you
- Touch ID is required for payments on iPhone
- Passcode and confirmation button-presses required for payments on Apple Watch
- No credit card numbers are stored on your devices
- Credit card tokens are stored encrypted in the Secure Element
- Payments can be suspended via Find My iPhone if your device is lost
The question should not be "Is Apple Pay 100% secure?", because no payment system is. The question should be "Is Apple Pay more secure than what I'm currently using?", and in many cases I think the answer is yes. Using the cliché analogy of home security: alarm systems don't protect you from burglars 100%, but they do offer additionally security over what a simple deadbolt would. It would be hard to argue that Apple Pay would be as insecure, let alone more insecure, than carrying around a wallet full of credit cards. Magstripes can be skimmed. Numbers can be written down. Cards can get dropped or left behind. Wallets can be lost. If you lose an iPhone with Apple Pay, you don't lose your actual credit card numbers, and it's protected by a passcode and Touch ID.
There are certainly some unanswered questions. How does Apple communicate with your bank when adding new cards? How exactly does the tokenization work and how well does it protect your original card information? How does the Secure Element work and how does it prevent tampering? Hopefully we see Apple release more details about each of these pieces in the coming months, but I don't see having any of these unanswered right now as a deal breaker.
How widely accepted Apple Pay will be or how well it will work are different questions entirely, and this post is not intended to answer them. I imagine that for the foreseeable future, Apple Pay will be a complement to carrying cards in our wallet, not a replacement. But personally, I can't wait to try it out on an iPhone 6 later this month.