ApplePay and why the security measures don't matter.
It's wonderful that your credit card is never stored on the device or in Apple's servers. It is nice that the token used to authenticate your purchases is not derived from the credit card number or any account information and therefore cannot be used to ascertain your account information.
But that is where the niceties die off.
Such a system also circumvents other securities measures, like Chip and Pin technologies and online authentication mechanisms.
Why is this all important? At some level there is a system which takes a signal that contains that token and perhaps some additional data, and passes that along to either Apple or your bank or some third party which then authenticates the token and approves the transaction.
Spoof that signal and the entire system is compromised.
In other words, in some ways it is actually BETTER if these services are more directly linked to your credit cards and personal details. For instance, I'm not worried about someone getting my credit card number. If they make a physical card it is useless at most retailers without the chip and pin. Online, MasterCard has additional levels of protection for charges over a certain amount. And, I know that if my card is defrauded through these systems that I can dispute the charges.
So, imagine a packet sniffer between the PoS machine and your phone or between the PoS and the internet. While that data likely is encrypted, part of the huge claim many are making that this is better is that they claim it is irrelevant if the token is acquired since it can't be decrypted back to anything useful. But, if I can decrypt the token and all of the data encrypted with it to make a transaction, it doesn't matter. All I need is the token and that data. Then I take that information and build a device that looks like an iPhone 6 but sends your token and data and the service on the other end won't think twice. It doesn't even need to know your PIN (because that is either only in the iOS interface, or also included in the data decrypted to get to this point, more likely just in the UI).
In some ways your account is now less secure than credit cards originally were. At least back then you still had to sign for purchases and your credit card company could at least demand the vendor supply that evidence when investigating disputes.
There is nothing magical about your device. It sends specific data that complies with very rigid protocols. If that data and protocol is duplicated only additional measures can protect you. But, here, all of those additional measures are (or appear to be) bypassed.
Also, devices can be stolen and device PIN's can then be hacked rather easily. Sure, new iPhones contain kill switches... but what if you don't know your iPhone was stolen? How you ask? Easy actually. Buy a bunch of dead iPhones off eBay, if you get a good chance, you can always swap someone else's working iPhones with one of your dead ones, case and all. Victim thinks their phone simply stopped working rather than thinking it was stolen. Could go unnoticed for days. Plenty of time to time to crack a 4-digit PIN and go on a spending spree, especially if someone watched you type your PIN making a purchases previously. Harder to hide your PIN on a phone than a shielded PIN pad.
And I'm just scratching the surface. Point is simple... all of these things Apple has done to secure your data have secured it against attacks which are common today but has made it more vulnerable to other types of attacks. We'll see in time whether this is FUD or not.
My suggestion is a simple one. The one place you never want to be an early adopter is where your identity and financials are concerned. This system may prove more robust than I paint it here. It may be every bit as weak as I paint it, but never be exploited. Truth is, we don't know what we don't know yet. A year in, we'll have a better idea as to whether or not the security here is easily compromised or not.
But that is where the niceties die off.
Such a system also circumvents other securities measures, like Chip and Pin technologies and online authentication mechanisms.
Why is this all important? At some level there is a system which takes a signal that contains that token and perhaps some additional data, and passes that along to either Apple or your bank or some third party which then authenticates the token and approves the transaction.
Spoof that signal and the entire system is compromised.
In other words, in some ways it is actually BETTER if these services are more directly linked to your credit cards and personal details. For instance, I'm not worried about someone getting my credit card number. If they make a physical card it is useless at most retailers without the chip and pin. Online, MasterCard has additional levels of protection for charges over a certain amount. And, I know that if my card is defrauded through these systems that I can dispute the charges.
So, imagine a packet sniffer between the PoS machine and your phone or between the PoS and the internet. While that data likely is encrypted, part of the huge claim many are making that this is better is that they claim it is irrelevant if the token is acquired since it can't be decrypted back to anything useful. But, if I can decrypt the token and all of the data encrypted with it to make a transaction, it doesn't matter. All I need is the token and that data. Then I take that information and build a device that looks like an iPhone 6 but sends your token and data and the service on the other end won't think twice. It doesn't even need to know your PIN (because that is either only in the iOS interface, or also included in the data decrypted to get to this point, more likely just in the UI).
In some ways your account is now less secure than credit cards originally were. At least back then you still had to sign for purchases and your credit card company could at least demand the vendor supply that evidence when investigating disputes.
There is nothing magical about your device. It sends specific data that complies with very rigid protocols. If that data and protocol is duplicated only additional measures can protect you. But, here, all of those additional measures are (or appear to be) bypassed.
Also, devices can be stolen and device PIN's can then be hacked rather easily. Sure, new iPhones contain kill switches... but what if you don't know your iPhone was stolen? How you ask? Easy actually. Buy a bunch of dead iPhones off eBay, if you get a good chance, you can always swap someone else's working iPhones with one of your dead ones, case and all. Victim thinks their phone simply stopped working rather than thinking it was stolen. Could go unnoticed for days. Plenty of time to time to crack a 4-digit PIN and go on a spending spree, especially if someone watched you type your PIN making a purchases previously. Harder to hide your PIN on a phone than a shielded PIN pad.
And I'm just scratching the surface. Point is simple... all of these things Apple has done to secure your data have secured it against attacks which are common today but has made it more vulnerable to other types of attacks. We'll see in time whether this is FUD or not.
My suggestion is a simple one. The one place you never want to be an early adopter is where your identity and financials are concerned. This system may prove more robust than I paint it here. It may be every bit as weak as I paint it, but never be exploited. Truth is, we don't know what we don't know yet. A year in, we'll have a better idea as to whether or not the security here is easily compromised or not.
Comments
Post a Comment