Apple's "tap to pay" security issues

Impetus

The new Apple Pay system looks naïvely created to me, in terms of security, know ability, and reliability.

Users are expected to take a photograph of their payment cards, and enter them into the system for processing.

What happens if your phone falls in water, is left behind during the increasingly frustrating security theatre at many airports, or is lost or stolen? For one, you have no phone to report the theft of your iPhone 6(+). If you are on vacation and lose or drop and break your phone, all you have got to pay for hotels, food etc is what is left in your wallet.

At a checkout, the amount due does not, as far as I can see, appear on the phone’s screen and there is no need for a PIN , so in my view the customer payment approval process is watered down to a “tap to pay” exercise.

In the criminal world of stolen phones, not only will the criminal have your phone, but will have your credit card details – encrypted they say – but so much encryption has been broken or is not properly set-up.

Secure systems are never “tap to pay” convenient.

https://www.apple.com/apple-pay/

markpb

I haven't really looked into it yet but it seems like they've covered a lot of your concerns already. The credit card details are written into an onboard crypto chip which is apparently some kind of mini-HSM. The idea is that once the card details are submitted to it, it will only ever return them in an encrypted blob.

Apparently, for supported banks, the number stored on your phone isn't actually your pan, it's a token which looks like a pan to transacting systems but can be tied to your actual pan by your acquirer. In addition to that, the token is replaced periodically and the old token expired.

I think that touch to pay makes use of the fingerprint reader, it doesn't just submit those details with no protection. Of course, the security of that device is questionable.

And lastly, the amount is definitely displayed onscreen.

Impetus

markpb wrote: »

I haven't really looked into it yet but it seems like they've covered a lot of your concerns already. The credit card details are written into an onboard crypto chip which is apparently some kind of mini-HSM. The idea is that once the card details are submitted to it, it will only ever return them in an encrypted blob.

Apparently, for supported banks, the number stored on your phone isn't actually your pan, it's a token which looks like a pan to transacting systems but can be tied to your actual pan by your acquirer. In addition to that, the token is replaced periodically and the old token expired.

I think that touch to pay makes use of the fingerprint reader, it doesn't just submit those details with no protection. Of course, the security of that device is questionable.

And lastly, the amount is definitely displayed onscreen.

The security offered is still inferior to that offered by an EMV payment card which uses DDA. (As far as I know most Irish and British cards don't use DDA, which makes them more clonable). In the rest of Europe DDA tends to be the norm. And you can drop an EMV card in water or on a hard surface and it won't break.

The iPhone 6 could be used as a (very expensive) substitute for contactless payments with a limit of 15 to 25 EUR/USD/CHF etc with little additional risk. Methinks Apple brought out this feature before the rollout of EMV in the USA as part of their power grab for the consumer dollar.

markpb

Impetus wrote: »

Methinks Apple brought out this feature before the rollout of EMV in the USA as part of their power grab for the consumer dollar.

You know that in-shop payments use Touch to Pay are done using the same technology as contactless credit cards which are EMV cards?

Impetus

markpb wrote: »

You know that in-shop payments use Touch to Pay are done using the same technology as contactless credit cards which are EMV cards?

Technically they are not - contactless cards use RFID, and Apple Pay uses NFT. It is just adding another complication for retail points of sale. The key issue with contactless is the low transaction value and the security software running on the card issuer's server to limit abuse - eg requiring a PIN on occasion or payment refusal.

In a properly regulated retail environment, retailers are not allowed to capture card details on their POS system. The card goes into a bank issued, card processing machine with firmware the only the bank can change. It might pass on transaction id for audit trail, and amount and approval code to the retailer but not the cardholder's card number etc. The benefit of Apple sending random payment numbers to the retailers' system misses the point of EMV card security.

markpb

Impetus wrote: »

Technically they are not - contactless cards use RFID, and Apple Pay uses NFT. It is just adding another complication for retail points of sale. The key issue with contactless is the low transaction value and the security software running on the card issuer's server to limit abuse - eg requiring a PIN on occasion or payment refusal.

In a properly regulated retail environment, retailers are not allowed to capture card details on their POS system. The card goes into a bank issued, card processing machine with firmware the only the bank can change. It might pass on transaction id for audit trail, and amount and approval code to the retailer but not the cardholder's card number etc. The benefit of Apple sending random payment numbers to the retailers' system misses the point of EMV card security.

We might have to agree to disagree on this. I need more time to study it but, with all due respect, I think you're misunderstanding some critical points. RFID is a subset of NFC. Contactless debit cards use NFC. RFID is far too simple to be able to process card transactions Apples new phones implement ISO14443 protocol over NFC just like contactless cards but they'll communicate with credit card terminals (like contactless cards do here), not retail POS systems.

This does a good job of explaining it simply.

The system, which relies in part on Apple’s Touch ID biometric technology to verify the user’s identity, could finally replace a payment technology that’s been in use for five decades. [...]

The contactless “tap and go” system relies on a new payment technology called tokenization. In place of your payment card number, a 16-digit proxy is stored in a security chip in the phone. That number, which is the token, is given to the retailer when a purchase is made, meaning your actual payment card number doesn’t get handed around.[...]

Additional pieces of data, unique to the transaction and the user, are incorporated to prevent a token from being reused for a second transaction, even if its stolen.[...]

The NFC technology is based on a standard developed by credit card companies that’s already in use at about 220,000 locations in the U.S. Google Wallet also uses NFC but hasn’t employed tokenization. It also hasn’t been widely adopted by consumers.

A successful roll out of Apple Pay would accelerate competition and help hasten the roll out of NFC terminals, said John Beatty, president of engineering at Clover Networks, which produces payment terminals for retailers. The company is already advertising systems that accept Apple Pay.

Rucking_Fetard

My brains fried.

Impetus

I am not too concerned by the technicalities of RFID/NFC. However many drinks dispensing machines etc in France will take an Irish bank's Visa debit card when one is buying a bottle of Vittel or whatever.

I suspect I couldn't substitute an iPhone 6 in this environment - so all I am saying is that retailers who have already installed infrastructure to process what one might broadly call EMV contactless payment will have to change their kit yet again to accept this "invented by Apple" "standard". Not to mention Google's tap and pay*, which has not gained a lot of traction so far.

We are moving to a world of larger phones. I have had one for about a year and would not move back. The easiest place to hold these is in the back pocket - which makes them vulnerable to pickpocketing. I tend to spend most of my time in low crime areas, but am very conscious of the risks in other locations. And I don't have any payment card info on the phone.

So putting aside the technical details, we still have big picture details of a society becoming dependent on phone payments - ie

*Phone falls on a hard surface and breaks
*Phone falls into water
*Phone gets left behind (eg in a taxi)
*Phone gets pickpocketed or otherwise stolen.

In the old days one had to remember a phone number or have it in a notebook and dial it manually. Now we store most of the numbers we call. If a phone gets lost - all of a sudden one faces challenges calling people, because they have forgotton the number.

There is a risk of a similar "expectation of availability" with tap to pay - a technology that is far more fragile. Fingerprint recognition is not 100%. Checking out of a hotel and you get a fingerprint not recognized message. Someone might have injured their hand. Who knows what will manifest itself?

Then you have personal privacy issues - more and more of one's life can be consumed by the phone / network. The big brand networks have shown themselves in bed with several secret service agencies. I don't want some snoop working for a three or four letter agency to be able to call up a string of events linked to me on a vdu - had a meal at restaurant x, stayed at hotel z, bought some groceries, etc - boring stuff but it is my business. And I don't want anything to do with these nasty Nazi style data dictatorships.


*https://support.google.com/wallet/answer/2466137?hl=en

hfallada

Apple is using the fact their tap to pay is secure as you have to verify using your finger print, that is your card. Tap to pay will probably not be seen as ground breaking in Europe since we use chip and pin. Meaning their is less credit card fraud as it's not as simple as signing like in America

Impetus

The US is slowly adopting EMV.

Many banks there have started issuing EMV cards to customers who travel outside of the US - presumably because of complaints from cardholders when they come across points of sale that only accept EMV.

The slow part of EMV USA is retailer-ization. This however is receiving added urgency after the recent events at Home Depot, Target etc.

For the EMV system to work properly cardholder info should be firewalled off from the retailer's system. As it stands they (retailers) are storing cardholder data to track their shopping patterns and this becomes a hackers' honeypot.