Perspex: What You Should Know About Apple Pay
Could the wallet and cash and credit cards become obsolete?
If Apple Pay and other makers of new soft-plastic have anything to say about it, the answer is yes.
But why would we want to get rid of credit cards – and what’s wrong with cash? Consider the following: In 2014 credit card breaches cost hundreds of millions of dollars to credit agencies and merchants. It cost credit unions and community banks approximately 200 million dollars to reissue about 21.8 million credit cards. And one retailer, Target, says they will spent about 100 million to upgrade to new NFC and chip-enabled payment terminals that are compatible with all NFC devices as well as Apple Pay. Black market hackers generated about 53.7 million dollars from stolen and re-sold credit card data, card numbers selling for somewhere between $18 and $36 depending on card limit. Hacking is big business but so is new technology and ways to hack-proof payments systems. And here’s why – consider the following retail hack accounts from 2014:
On September 8th, Home Depot confirmed that any customer who shopped in a U.S. or Canada store from April 2014 forward was impacted by a credit card data breach. According to one security researcher, Home Depot hackers reportedly used the same malware that affected Target.
On August 20, shipping company UPS discovered malware that could potentially expose the data processed in 51 US stores in 24 states. Customers potentially affected in the breach were notified and offered identity protection as well as credit card monitoring.
Nearly 3 million credit cards were impacted by two separate security breaches at Michaels, the arts and crafts store chain in the US. Michaels released this information April 17, 2014. The breach occurred over a period of nine months, and affected 7 percent of cards used in stores.
During the 2013 holiday season, hackers made their way into Target's systems, exposing customers' card data, names, mailing addresses, phone numbers, and e-mail addresses. In January, the retailer announced that the breach potentially affected 110 million customers-- or up to one-third of the US population.
P.F. Chang's, the nationwide Chinese food chain, fell victim to hackers who exposed credit and debit card data, as well as card holder names and the cards' expiration dates. A total of 33 locations were affected, but the company has not been able to determine if any specific customer's data was stolen.
Using malware, hackers made their way into hardware company LaCie's database, putting anyone who shopped between March 27, 2013 and March 10, 2014 at risk. That's nearly one year of customer data. In response to the attack, LaCie temporarily shut down its online store until its website could be secured.
eBay's database of names, phone numbers, encrypted passwords, email addresses, physical addresses, and dates of birth was comprimised in late February and early March, 2014. It's unclear if the breach gave hackers access to customers' financial info.
Near Field Communication (NFC) is a way of communicating between devices (such as a smartphone and a computer, or a smartphone and a passive tag) that utilizes electromagnetic radiowaves. Bluetooth and WiFi use regular radio transmissions which are relatively easy to hack . NFC is contactless which means that the devices (think ccredit card or debit card but basically on your phone as an application) do not have to touch. Instead, they communicate in an electromagnetic envelope when the phone is held near the NFC terminal. A unique encrypted code passes between the two devices and because it creates a unique identifier for each retailer and each transaction, NFC is reportedly more secure than regular credit card information..
Passive NFC tags, such as those on in-store items, can hold information (such as pricing and SKU information) that can be read by your phone when you hold it near the tag. Holding your phone near the tag places your phone in receiver mode in which state it can gather information and read it which can help users shop more efficiently. .These NFC tags, which are passive, cannot transmit or receive anymore information more than the limited information that is stored. Exchanges between passive NFC and active NFS are finite.
Active NFC means that both devices are able to send and receive information (not just one to the exclusion of the other). Both devices can transmit and receive importation information. But that information, at least with Apple Pay, does not include;
- your name
- your credit card information
- the security code on the back of your card
What is noted is the card that you used to make your purchase (but not the card number) and a unique, encrypted transaction number (or token) specific to that merchant and that differs for every transaction. And it is this tokenization that makes Apple Pay different from other purveyors of soft-plastic.
Why is this safer than credit cards and debit cards? Simple, because your card information is not stored on your phone or even by Apple. And even if someone gains access to your phone, you can locate your phone and turn off your Apple Pay with remote “Find My Phone”. And if your phone is stolen, you won’t need to replace your credit cards because again, the numbers are not stored and so are secure.
In NFC the devices speak to each other but all information is encrypted in such a way that it is impossible to work backward to the starting point to obtain the credit card number.
When you make a credit card transaction, your card information is relayed between several points – this is true for Google Wallet and Softcard as well. But with Apple Pay, Apple does not store your credit card information or name anywhere (except iTunes where, if you signed up for iTunes you can provision your phone to work off your iTunes account and by then also taking a photograph of your credit card with your phone and then having the bank verify that the card is legitimate).
The new iPhones (iPhone 6 and up; if you have the old iPhone 5, you’re out of luck) incorporate NFC as do most smartphones. In fact, NFC technology is not new – it is about ten years old.
So what’s new now? As of October 2015, all merchants in the United States will be required by law to have NFC compatible terminals. The terminals will read a data chip on a card that is not swiped but is nonetheless read. Apple is betting that since merchants have to have the NFC-equipped terminal, they will opt to have Apple Pay as an easy payment option for consumers, giving Apple a huge market-share if the plan works. In other parts of the world, EMV and NFC are pretty much the standard. But in the United States, only 14% of merchants are currently equipped to handle the new technology.
All of this technology is being used in concert with a technology which Apple says is unhackable – a Touch ID fingerprint with roots in subdural fingerprint imaging. The security checkpoint: a fingerprint, a biometric, is necessary to first unlock the Apple iPhone and is then repeated to make a purchase (touch finger to screen to confirm).
But is this hackable? The short answer so far is no, but Apple Pay has not passed into common use yet, though a lot of stores have it, including McDonalds, Disney, Bloomingdales, Macy’s, Petco, Walgreens, Sephora, and more. According to Apple’s own figures, Apple Pay is accepted by some 220,000 stores and odds are that if NFC is accepted, so is Apple Pay.
And while it does seem for the time being that Apple Pay is the most secure way to pay, almost nothing is infallible. I found two tech guys who were able to spoof the biometric fingerprint check. By making a graphite infused Apple Pay without having a live hand and finger-print, silicone cast, the two testers were able to get into another person’s iPhone and Apple Pay without their actual hand. How is that possible? The silicone print made from the person’s finger was soft enough to flatten out the way a real finger would and had enough definition that it met the fidelity requirements needed to get into the phone. This again was taken from the person’s actual finger using a relatively soft silicone cast that allowed for a lot of detail in the fingertip swirl.
When testers tried to a second time to spoof the biometric fingerprint security by using a print taken from a photograph (a copy of a copy) that was then laser-etched and silicon cast there was not enough fidelity for the print to work. For any print to work it needs;
Capacitance, which is the ability to store an electrical charge to operate the touch-screen,
Fidelity - how it compares to the original, how true or accurate the copy is.
In order to be serviceable, a copy needs both capacitance and fidelity. First, it needs to be able to first fool the touch screen (using a hotdog, for example, will not fool the touch screen and generally won’t allow you to using the touch features.) A silicon mold will work. If the mold then has enough detail caught and enough flexibility/movability and softness like a human finger, it meets all capacitance and fidelity requirements and so breezes through the biometric security checkpoint.
How likely is it that someone can get a cast of your fingerprint taken from you? Not very and with the tokenization and encryption of numbers, Apple Pay has set to be the new safety standard bar for credit higher than it has ever been before.