Apple Pay thoughts and security

The big Apple event on Tuesday wasn’t that big a deal in my opinion. The iPhone 6 was expected although not in 2 editions but that is the least that Apple had to do to catch up with Android. Apple watch? Meh … sleek industrial design and interesting software options but ultimately I still think that smart watches in general have a limited use.

Couple of reasons why:

  • short battery life – until you start using one of these, you won’t realise what an issue that is ( my current Seiko is going on for 4 years now on the same battery, 1 day on a charge for smart watches is a problem)
  • you don’t get any health info while your watch is on charge because you can’t wear it at the same time as charging
  • security – smart watches can be hacked; do you really want your health and personal info out there for all to see? And how do the vendors handle your privacy and security?
  • you still need a phone to use in conjunction with most smart watches – no phone? limited usefulness …

So onto the main crux of this article: Apple’s new NFC-based payment system. What’s new? Well pretty much nothing that hasn’t been done before – think Google Wallet. They have some  good integration with Touch ID on the iPhone, and the on-board security chip, along with agreements with a number of American banks and the 3 main payment networks AMEX, Mastercard and Visa. The only benefit Apple brings to the table is a large user base as well as a knack for popularizing systems like this. And that is it.

With Apple stepping into the NFC payments game we will see a large increase in the people using it. This of course will lead to security and privacy concerns, not only in potential vulnerabilities in the technology itself and how criminals can exploit them. But also in how users may not secure their devices, and therefore their electronic wallets, properly. Some banks are even putting transaction limits in place as a form of risk analysis/protection.

Although the recent nude celebrities hack on iCloud wasn’t entirely Apple’s fault, this episode goes to show how far end users and vendors have to go to understand personal security and privacy properly. And that’s the crux of the matter. We’ll also have to see how country-specific consumer rights, privacy and legal laws impact on a global product like this.

But security is always a primary concern. And while Apple has promised fixes to iCloud and iOS in the next period, the perception of Apple’s security is not good, and their track record is similarly poor.

Anyone can spend $1500 buying Elcomsoft’s iOS Forensic Toolkit or $79 on the Phone Password Breaker and proceed to literally pull an iPhone apart, getting access to pretty much every single piece of data you’ve ever put on there. There are also cheaper ( $0 ) hacks out there involving an iPhone and iTunes running on a Windows machine. Scary stuff when you’re storing potentially vital personal data on your phone.

So what else can we say about Apple Pay? There are some more practical issues:

  • battery life of your phone will suffer with having NFC switched on all the time ( I can’t see people turning it on and off when required )
  • there is a much wider attack surface with NFC being switched on all the time, potentially leading to a security nightmare
  • the payment industry is actually moving away from NFC towards bio-metrics
  • many US retailers and banks have cited the high cost of NFC-enabled payment equipment as a reason for not going all in

So, while I think Apple could be moderately successful with something like this, there are significant issues to be worked out in the practical implementation. We’ll see …

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security