co-authored by Dr. Stephen Bryen, Founder & CTO Ziklag Systems
Apple has introduced a new mobile payment system that exploits some of the features of the newest iPhones. Apple claims that it is much more secure than its competitors. But is it?
Apple has done a few things that are interesting. Among them, it has applied "tokenization" to handling credit card information. The idea is a simple one: instead of storing an actual credit card number on a mobile phone, the Apple solution stores only a token that represents the credit card. The actual credit card information never flows across the network, instead the token is sent to a repository controlled by Apple where the token is linked in a database to the "real" credit card number. To make this work securely, Apple encrypts the token's transmission. And Apple uses the iPhone's fingerprint reader for the user to gain access to the mobile payment system on the phone, thereby protecting misuse of the phone if it is stolen or lost. The system works by a near field type transmitter in the iPhone. Similar near field transmitters are also in the phones of other manufacturers. The advantage of a near field transmitter is that it is very hard to intercept.
Thus Apple has produced an innovative and interesting system. It differs from other existing credit card payment systems because it applies more security measures to protect the information that feeds into the central payment system.
But these steps do not mean that the system is really secure. Apple's security needs to be tested in the real world and it will take some time to make sure Apple's security measures pan out.
There are areas of concern. To begin with, it is likely that the payment system will use some data base storage arrangement like Apple's iCloud. iCloud was allegedly compromised recently in the hack of celebrity nude photos. The iCloud or whatever Apple is using to store the information that links the tokens to the database of real credit card numbers represents a risk because it is another third party repository of credit card information that might be vulnerable to intruders. Banks and clearing houses for banks already have been hacked by intruders as have major chain stores such as Target and Home Depot and most recently, Staples. Most Americans no longer even try to keep up on reports that their credit card information may have been compromised because it happens too often. It is hard to see much value added from Apple on this subject unless it cleans up vulnerabilities in iCloud.
Apple is also relying on the integrity of its mobile phone hardware to protect information such as fingerprint data and the token itself. Apple deserves credit for a better authentication system than other phone makers are using. But whether the hardware platform is really secure enough remains an outstanding issue. There is not much hard evidence that the iPhone is any more secure than any other mobile platform. According to a report from Greatfire.org, a respected censorship watchdog organization, China has launched a "malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc. Unlike the recent attack on Google, this attack is nationwide and coincides with today's launch in China of the newest iPhone..."
If the Chinese are doing this, one can guess that Russian hackers, who have been gutting our banking and credit card system, are capable of doing the same. It makes you think that if the banks and credit card companies are doing such a lousy job of protecting our privacy, what makes anyone think Apple can do it better?
Beyond the existential question of why we don't have good security anywhere these days, there is a practical issue. If you are in a store or a restaurant, do you really want to have to bother with your mobile phone when you can just swipe your credit card? It is reasonable to ask how this affects a credit card user who might find it convenient to use a mobile device to buy products at a store?
If the Google Wallet experience is any indicator, using a mobile platform as a surrogate for a credit card has not really caught on yet. Apple can exploit the ideological attachment many of its users have to their iPhone, and probably get them to pull out their phone instead of their credit card when making purchases. For some, though, it adds a level of inconvenience and could be a nuisance if something doesn't work right. Apple will have to prove it is easier to grab your smartphone, do your fingerprint thing, and then carry out your purchase instead of swiping you credit card.
And what happens if your iPhone transaction is denied?
The iPhone mobile payment system also raises a complicated question about who is liable if a purchase is made without your permission. With most credit cards, if some one uses your credit card number, you have credit card insurance and the credit card provider as recourse. If Apple sticks itself in the middle, as Google already has, are they liable for any screw ups?
Whether iPhone's mobile payment ends up being successful or not, does not take away from Apple's intent to offer better security to their users. Much more needs to be done to make mobile devices trustworthy and maybe we will need to wait until we are really sure before we take the plunge on any mobile payment system.