Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Apple Pay Ups Payment Security But PoS Threats Remain
Threaded  |  Newest First  |  Oldest First
Some Guy
Some Guy,
User Rank: Moderator
9/11/2014 | 11:10:02 AM
Note quite 3-factor authentication ...
"If you use both a passcode and a fingerprint to secure your device, then every purchase you make uses the authentication trifecta: something you know (the passcode), something you have (the device), and something you are (the fingerprint)."

So it's close but not quite 3-factor authentication, because it doesn't require all three at the same time. Simply possessing the device while it's still unlocked and keeping it unlocked allows you to operate it in 1-factor mode at NFC terminals ... forever. Any pickpocket worth his salt can do that.
Technocrati
Technocrati,
User Rank: Ninja
9/11/2014 | 9:13:36 PM
Re: Note quite 3-factor authentication ...

@Some Guy   I have to wonder about this finger print authentication.   How  does this work exactly in a global sense  ?    Is there a database with endless numbers of scanned fingerprints in it ?   

 

Sounds funny but  I bet I am not too far off.

Some Guy
Some Guy,
User Rank: Moderator
9/12/2014 | 1:09:27 PM
Re: Note quite 3-factor authentication ...
We're told the fingerprint is local to the device. It certainly creates storaage overheads if you expect to keep them all in the cloud. And without a lot of utility, since your fingerprint is only good on one device, and wouldn't work in Airplane mode if it only came from the Cloud. But then we've been told that your GPS wasn't tracked either and that turned out to not be true on the iPhone. For now I'd treat it as local only (until someone finds a smoking gun proving otherwise). It likely isn't even usable by other entities in its captured form; certainly not without some sophisticated translation to a 2D representation.
Technocrati
Technocrati,
User Rank: Ninja
9/12/2014 | 1:44:36 PM
Re: Note quite 3-factor authentication ...

Ah yes, I do recall now that these security features were supposed to be local to the phone.   Not sure how I feel about that either.   But thanks for the clarification.   

I am also skeptical that this method cannot be cracked, sure it is a major stride forward - but I am a firm believer that anything encoded can be uncoded.

 

So we 'll just wait until the smoking gun goes off ( again ).

msspotlight
msspotlight,
User Rank: Apprentice
10/7/2014 | 12:35:40 PM
Re: Note quite 3-factor authentication ...
It depends on the encryption algorithm. If it is say for example AES 256 it would take years to crack not to mention they would have to physically have your device which if this was the case you know it's gone and can call your CC company and cancel the card.
GonzSTL
GonzSTL,
User Rank: Ninja
9/12/2014 | 1:01:26 PM
Re: Note quite 3-factor authentication ...
"... Apple would step up its security game by broadening its use of two-factor authentication and more aggressively encouraging people to turn on two-factor authentication."

Why not just make two-factor authentication required for using Apple Pay? I would like to think that consumers who want to use their phone for payments via NFC would want strong authentication. I think that allowing a choice of weak authentication for the sake of convenience is a generally bad idea in the first place. With the almost weekly news of a breach widely reported in various media, I believe that the general public would welcome strong authentication. I did a very unscientific poll by asking some people I knew if they were willing to use fingerprint authentication when they made payments using their NFC and their own phone, and none of them said no. Like I said, it was very unscientific but at their main reason was that they were concerned about account fraud. Surely the general public has the same concerns, right? I think that users' hesitation to use biometric authentication is weighed in by phone manufacturers as a factor that could lose potential customers, but if the technique is presented as a requirement only for NFC payments, that hurdle can likely be overcome. If the feature is marketed properly, it could even be an added incentive for people to buy those phones.  Am I off base here? Is it just the security guy in me that influences this line of thinking?
Technocrati
Technocrati,
User Rank: Ninja
9/12/2014 | 2:01:58 PM
Re: Note quite 3-factor authentication ...

Why not just make two-factor authentication required for using Apple Pay?

 

@GonzSTL    I think that is a really good question.  What is the problem if two-factor authentication is better for security which it obviously is - then why not burn it into the hardware ?   

Manufactuers do this all the time in one way or another, so I don't understand why Apple is dragging it's feet on this.   The only thing I can think of is they don't want to inconvenience their picky customer base.

Technocrati
Technocrati,
User Rank: Ninja
9/12/2014 | 2:16:19 PM
Re: Note quite 3-factor authentication ...

"...I think that users' hesitation to use biometric authentication is weighed in by phone manufacturers as a factor that could lose potential customers, but if the technique is presented as a requirement only for NFC payments, that hurdle can likely be overcome ...."

 

@GonzSTL      While I understand your reasoning here, from a consumer perspective I have to respectfully disagree.   I would not be more apt to use a device or method of payment ( NFC ) nor would  this entice me to succumb to biometric authentication.

 

In my case,  there seem to be too much information already running around the Net without my control - I surly don't want to add my biometrics to it.   But at least you are looking for solutions to the issue - I don't hear anything coming from manufacturers themselves.

GonzSTL
GonzSTL,
User Rank: Ninja
9/12/2014 | 3:21:56 PM
Re: Note quite 3-factor authentication ...
@Technocrati I'm in the same boat as you - I currently have no plans to use NFC, nor the desire for the potential for my biometric information to be stored somewhere outside of my control. In my post, I tried not to use absolute terms because there will always be exceptions like you and me, for example. I just think that manufacturers, in their efforts to add convenience, make it easy to also add insecurity as an undesirable result of that convenience. I hesitate to say that there should be governmental intervention in the form of regulatory requirements since that tends to spawn off a whole slew of other issues, but maybe if the industry itself set some sort of standard, it may be more palatable to the consumer. You are right, we don't hear anything from the manufacturers, at least in the public space.
Some Guy
Some Guy,
User Rank: Moderator
9/12/2014 | 4:54:30 PM
Re: Note quite 3-factor authentication ...
@Technocrati - I'm comfortable with NFC as long as I can turn off the antenna whenever I'm not making a purchase. So if it's a slider like WiFi and Bluetooth, no issue.

@GonzSTL - I'd expect that a one-time token under these described conditions is a lot more secure than anything out there today, especially given the Target and Home Depot breaches. I'd be OK using it places that I won't even use VISA or MC today.
Technocrati
Technocrati,
User Rank: Ninja
9/13/2014 | 1:34:51 AM
Re: Note quite 3-factor authentication ...

@Some Guy    I see.   Yes the enabling and the disabling of the service is easy and I think that is the case for phones that have NFC, but there has got to be a better way to transmit the signal.  

Of course I am at a loss for the answer to this plea but we will see if Apple can make this process sexy enough for mass adoption. 

Technocrati
Technocrati,
User Rank: Ninja
9/13/2014 | 1:54:29 AM
Re: Note quite 3-factor authentication ...

@GonzSTL    I certainly appreciate your level headed approach to this difficult issue.   I often get the feeling that NFC is a technology that even though the consumer is cool towards the idea, these manufacturers are dying to implement it.

 

I guess the real goal is to make the phone a tool for real-time commercial transactions, but people don't seem to be too excited about it, the uses we have now seem to be more than adequate.  

And I agree, I hope the industry regulates itself but the first thing they probably need to do is to come to grips with the fact that not many want NFC and even if it is forced upon the consumer - they have choices now.

 

I think Apple just might learn this lesson again. 

Sara Peters
Sara Peters,
User Rank: Author
9/16/2014 | 2:01:38 PM
Re: Note quite 3-factor authentication ...
@GonzSTL  I completely agree with you on this:  "Why not just make two-factor authentication required for using Apple Pay?" They could prompt users for both a fingerprint and a password even if the device isn't locked at the time that they make a purchase.
Technocrati
Technocrati,
User Rank: Ninja
9/11/2014 | 9:09:49 PM
Apple creates De Facto Standard ?

Really found this subject to be a very fascinating read Sarah.  With Apple jumping head first into the mobile payments arena - I was really interested in see how they expect to pull this off.  Otherwise it is a headache not many wanted to deal with until Apple decided to get out in front of this.

This token system is a good idea, but it too as you mention will be compromised as well by hackers in time.  But I guess the industry had to start somewhere - and it is an improvement over magnetic cards ...etc.  

I am not so sure I particularly like using my phone for purchases - though I pay bills occasionally but for the most part I don't want to use my phone for transactions.  I may be in the minority here - as I do not have an iPhone either.

My question is who is governing this new method of payment transmission ?   The FTC ?  Seems to me Apple just created a de facto standard ?

GAProgrammer
GAProgrammer,
User Rank: Guru
9/12/2014 | 1:25:33 PM
Re: Apple creates De Facto Standard ?
With Apple comprising roughtly 41%(and declining) market share, this is definitely a way for them to generate more revenue. I think if Apple makes it easy for retailers to process these payments, this could just be another form of payment. However, you will never catch me on that closed ecosystem. More and more of my friends who use iPhones are finding that the device REALLY isn't that great. I know of 10 people in the past 3 months who have ditched theirs for Samsung phones.

It'll be interesting to see how people, and more importantly, businesses like this new form of payment. It may just be relegated to Apple Stores when all is said and done.
Some Guy
Some Guy,
User Rank: Moderator
9/12/2014 | 4:49:23 PM
Re: Apple creates De Facto Standard ?
@GAProgrammer - I think this is more an issue of Apple going after PayPal and expanding their walled garden for a cut of the action.
Technocrati
Technocrati,
User Rank: Ninja
9/13/2014 | 1:58:26 AM
Re: Apple creates De Facto Standard ?

@GAProgrammer   Interesting.  I had not thought about PayPal, and I think you are right - Apple would love to have a large piece of this market.

Technocrati
Technocrati,
User Rank: Ninja
9/13/2014 | 1:46:22 AM
Re: Apple creates De Facto Standard ?

"....More and more of my friends who use iPhones are finding that the device REALLY isn't that great. I know of 10 people in the past 3 months who have ditched theirs for Samsung phones."

 

@GAProgrammer     That is really interesting to hear.  I have noticed this myself - Many  iPhone users don't seem to be as happy as they once were.  It has been a long time since Apple has had a significant new offering and when they did - they went larger, which is just what their competition ( Samsung ) has been doing for years.

Sara Peters
Sara Peters,
User Rank: Author
9/16/2014 | 1:59:07 PM
Re: Apple creates De Facto Standard ?
@Technocrati   Geez, a girl goes on vacation a couple days and you all have a great conversation without me. Thanks for that! 

As to your comment, I find this a fascinating thought: "Who's regulating this? Seems to me Apple just created a de facto standard ?"

I imagine that the PCI Council will have something to say on it as well, and they're probably still making up their minds about it. The near-field communications part isn't the important thing; it's the authentication. 
Technocrati
Technocrati,
User Rank: Ninja
9/18/2014 | 5:11:09 AM
Re: Apple creates De Facto Standard ?

@Sara     Welcome back !   I see.  Well, I really enjoyed the topic - I was initially very curious as to how Apple plans to address this potential security nightmare.

But after discussions with my peers along this thread and of course your work - I have a better understanding of just how Apple plans to pull this off.

Technocrati
Technocrati,
User Rank: Ninja
9/12/2014 | 1:51:18 PM
NFC: There has Got To Be a Better Way

@Some Guy   How do you feel about NFC ?    I am not a big fan since I am not a big fan of mobile payments in general.   I just can't picture myself tapping my phone against some reader to make payments.   

 

Call me a germaphobe - but that is also a consideration.

teck
teck,
User Rank: Apprentice
9/15/2014 | 9:39:58 PM
A few errors in this article
Payment authorization does not require PIN + fingerprint.  The default is fingerprint scan, if that fails a certain number of times (not able to presently disclose) it reverts to PIN.

Apple does not possess the ability to convert a token into its full credit card representation.  Rather that is the role of a TSP (Token Service Provider).  Currently each PNO (AMEX, Visa, M/C) operates its own TSP and thus only they are able to detokenize a token back to the actual credit card data.
msspotlight
msspotlight,
User Rank: Apprentice
10/7/2014 | 12:40:53 PM
TIMA hardware chip?
My question is this....is the HW chip where the token is stored TIMA?


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-38765
PUBLISHED: 2022-12-09
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
CVE-2022-41947
PUBLISHED: 2022-12-08
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated use...
CVE-2022-41948
PUBLISHED: 2022-12-08
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Affected versions are subject to a privilege escalation vulnerability. A DHIS2 user with authority to manage users can assign superuser privileges to themself by manually crafting an HT...
CVE-2022-23469
PUBLISHED: 2022-12-08
Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header a...
CVE-2022-23494
PUBLISHED: 2022-12-08
tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `image` plugin, which p...