Four reasons why Apple Pay is more secure than you think

iPhone 6 Touch ID picture
The iPhone 6 Touch ID

One of the most intriguing announcements at Apple's latest launch event last week was the introduction of Apple Pay.

A contactless payment technology built into the iPhone 6 and the new Apple Watch, it allows you to tap and pay for your day-to-day purchases without hunting through your credit cards, entering PINs or signing bits of paper.

Now, mobile payments has been talked about for years and has struggled to take off but, but with Apple Pay the stars may have finally aligned to deliver a user experience that is compelling.

Needless to say, if Apple Pay does take off, it will be a juicy target for attackers, but Apple looks to have taken sensible measures to ensure it is as secure as possible. Here are my 4 reasons for why Apple Pay will be secure:

There's not very much for the attacker to steal

Apple Pay, like all mobile payments solutions, introduces a new points of attack, the handset itself. That's always been a potentially big issue since phones with their numerous apps are notoriously hard to secure. To reduce these added risks, Apple have taken a number of steps.

Firstly, the phone employs a tamper-resistant hardened security chip, called a Secure Element, to protect the secret codes used to make payments. This guards against physical attacks and malware on the phone and although no security measure is perfect the Secure Element is a big improvement.

But, perhaps the most important innovation is that the codes on the phone are not actual credit card number so even if they are stolen or the phone is lost there is no need to cancel your cards.

Apple has worked with the credit card companies like Visa, MasterCard and American Express to ensure that only temporary 'tokens' are stored on the phone.

These tokens are used in transactions to represent a user's account but are useless to an attacker and can be deleted without affecting the user's bank account or credit card.

Not only does this tokenization process reduce the risk at the phone it also protects the back-end infrastructure that communicates with the phone to set up payment accounts and approve transactions, for example the systems operated by the mobile operator and Apple themselves.

Strong biometric authentication

Another strong security measure is the integration of Apple Pay with the Touch ID biometric authentication capability of the iPhone. If an attacker can't steal the card information from the then the next best thing is to steal the phone and misuse it until it gets shut down.

Touch ID has been around for a while as a way to unlock the phone now it is being used to authorize a payment off. Biometrics, in this case your fingerprint, heightens security as it is completely unique to the user and is based on your personal biological data that can't easily be stolen or replicated.

The use of biometrics does occasionally have some challenges, some fingerprints just can't be read and false positives do occur but isn't a huge improvement over passwords.

Apple isn't reinventing the wheel

Against many people's expectations, Apple has based its service Apple Pay service on a set of well proven and standardized technologies rather than forge ahead with a proprietary approach.

The maturity of the technology is good news for security and investments already made by merchants could now pay dividends.

Apple Pay works on established payment 'rails', adopting technologies such as NFC, EMV that combine with the Secure Element to communicate with standard contactless point of sales (POS) devices in stores.

The fact that banks and credit card companies will continue to play their traditional role as part of the Apple ecosystem will help to quell the arguments and allow everyone to focus on the customer.

A balance between customer experience and security

Balancing security against user experience is critical for the successful of any security venture and is even more critical for mobile payments.

Tim Cook argued that firms in the mobile payments sector have focused too heavily on their own interests (i.e. monetisation) for years and not paid enough heed to customer experience.

It's vital that everyone views mobile payments, or mobile commerce as it should be called, as a better way to buy more things and not simply another way to buy the same things with just using a different technology.

If poorly thought out security gets in the way, creates friction, the mobile model will never take off. Apple has clearly taken this idea on-board, and have been working hard on creating a product that is customer orientated without compromising security.

Richard Moulds is Vice President of Strategy at Thales e-Security.

TOPICS