Apple will not be fading from the news anytime soon. In fact, one of its most anticipated announcements this year—Apple Pay—is slated to come out next month.
Apple Pay is a new feature available on the iPhone 6 and iPhone 6 Plus that enables users to make “contactless” payments by transferring their debit or credit card from their iTunes account to Passbook. Users can store additional cards by simply using the iPhone’s iSight camera to take a picture and instantly capture their payment details.
The allure of Apple Pay is not lost on Tripwire’s experts. Craig Young, a security researcher and member of Tripwire’s Vulnerability and Exposure Research Team (VERT), commented, “The convenience of being able to setup a replacement iPhone without having to re-enter a wallet full of credit cards is the type of simplicity that drives consumer demand for Apple products.”
Even so, the success or failure of Apple Pay will be shaped by how secure it is and how widely adopted the feature becomes.
One particularly promising selling point in Apple Pay is its ability to assign and encrypt a unique Device Account Number for each card. These numbers are not stored on Apple’s servers—an arrangement which allows for more private transactions. Most importantly, it gives users the option to not use their credit or debit card information directly when making a purchase.
What remains to be seen is the strength of these features, with many skeptics still not fully on board. “The transaction itself presents a vector for attack,” warned Tim Erlin, Director of IT Security and Risk Strategy at Tripwire.
“Apple won’t transmit the card number, sending a ‘Device Account Number’ and a dynamic security code, instead. If this transaction can be spoofed, attackers will be able to make fraudulent purchases,” said Erlin.
Lamar Bailey, Director of Security Research at Tripwire, also has concerns: “The technology behind Apply Pay seems sound, but it will be a major target for cybercriminals when it goes mainstream later this month.”
As Erlin, Bailey and others realize, hackers could use malware to access stored credit card images, giving them the capability to potentially make fraudulent charges.
Given the novelty of the technology, some experts suggest it is best that users take things slow and try to protect themselves as much as possible. “With Apple now collecting health data with HealthKit and moving aggressively into mobile payments, users can’t just leave everything security-related in Apple’s hands,” said Dwayne Melancon, Tripwire CTO.
Melancon added it’s important for users to pay closer attention to the security they use on their mobile device and protect themselves online by reducing their attack surface, using secure configurations, practicing good cyber hygiene and continuously monitoring for anomalies and vulnerabilities in connected systems.
“Unfortunately, these techniques are not known by the average home user,” said Melancon. “There is a huge risk of users accidentally leaving themselves vulnerable and not realizing it until they’ve already been compromised.”
Nonetheless, Apple Pay is a step in the right direction to the extent that it could revolutionize the ease and security of both the credit card and mobile payment industries but even so, it is best if users take some precautions before the technology is fully explored and understood.
- Security Slice: Apple Pay’s Big Gamble
- Apple to Add New Security Alerts Following iCloud Hack
- Apple iMessage Vulnerable to Eavesdropping and MITM Attacks
- Apple Shareholders Demand Security Risk Reports from Board
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock