Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Apple Pay: A Necessary Push To Transform Consumer Payments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
dkoobfhlbc
dkoobfhlbc,
User Rank: Apprentice
9/11/2014 | 1:52:20 PM
The entire article falls apart at "Hopefully"
From the article:

"Hopefully, Apple has implemented significant and sophisticated measures into protecting card data stored in the iPhones' Passbook from theft or unauthorized use. Regardless, removing sensitive payment data from the merchants' hands is a necessary step to solve the increased breach epidemic retailers have been facing."

 

If Apple cant keep private data (pictures and backups safe) what makes you think they can keep your personal finance information safe?

Lets all jump on the Apple bandwagon as quick as humanly possible because Apple can do no wrong, or when they do - its no big deal.

I understand this puts progress in a crux and I don't have a perfect answer - but I fear for the sheeple that will blindly follow and potentially expose themselves to risk of giving up their credit card information. 
anon7578423912
anon7578423912,
User Rank: Apprentice
9/11/2014 | 4:41:51 PM
Re: The entire article falls apart at "Hopefully"
We're already at risk of credit card data theft. I have an iPhone, and I'd rather pay via Apple Pay or similar service than hand out my card to all kinds of merchants out there. I have actually being carrying more cash on hand lately with all the security breaches going on.
Dr.T
Dr.T,
User Rank: Ninja
9/11/2014 | 8:47:17 PM
Two-factor
I like the article, thanks for sharing it. I will most likely use Apple Pay simply because it is convenient. However we should not assume that the solution is secure enough that we feel comfortable. Keep in mind that the credit card itself provides two-factor authentication and unconnected, our iPhones may not provide the same capabilities because it is connected.
Dr.T
Dr.T,
User Rank: Ninja
9/11/2014 | 8:49:36 PM
Re: The entire article falls apart at "Hopefully"
I agree, handing over the credit card would more risky than using NFC with your iPhone.
Dr.T
Dr.T,
User Rank: Ninja
9/11/2014 | 8:53:35 PM
Re: The entire article falls apart at "Hopefully"
I hear you, I would think they would either hash or encrypt data at rest. They would not be able take a risk of credit card numbers being compromised. This is more regulated than the pictures we uploaded to iCloud which nobody really cares unless you are a celebrity.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/12/2014 | 7:46:20 AM
Device Account Number
Lucas, I really like this concept and it sounds very promising, but I'm not sure I totally understand how it works. So, for each transaction, Apple Pay creates a unique "Device Account Number" that is stored in the SIM card in your iPhone. But where does the Device Account Number come from? From the card company?
LucasZa
LucasZa,
User Rank: Moderator
9/12/2014 | 3:52:06 PM
Re: Device Account Number
Marilyn, the Device Account Number is a permanent unique identifier for the mobile device. I'm not sure if it's randomly generated or derived from seed data. Either way, that Device Account Number gets stored on the "Secure Element" chip they've added to the iPhone 6. This is their way of implementing the Secured Element part of the NFC specification. More info at www.smartcardalliance.org/publications-nfc-frequently-asked-questions/#7

When it comes time to pay, the iPhone 6 will use NFC to transmit the Device Account Number and a a unique transaction identifier to the POS using those contactless readers that nobody in America currently cares about. This is where it gets a little vague. Prior reports talked about the elimination of the payment processor middleman. The merchant POS has to send the transaction data somewhere though. So I'd assume they're sending it through Apple servers which then authenticate the transaction with the card issuing bank before processing it through the appropriate card brand network such as Visa. Think of the transaction identifier as being an out of band mechanism so criminals can't leverage stolen data from Apple Pay transactions since they'd need another transaction identifier. I'm guessing the transaction identifiers are generated similar to how Google Authenticator and RSA two-factor have a rolling code that's constantly in sync with the server.

My guess that Apple is in the middle relaying transaction data stems from their careful choice in wording when they state they "don't save" your transaction data. They're choosing their words carefully to hide the complex inner workings behind a simpler message that doesn't require niche payment processing knowledge.
LucasZa
LucasZa,
User Rank: Moderator
9/12/2014 | 4:02:08 PM
Speaking of security...
I agree with those concerned about security flaws. It is possible that someone could figure out a way to retrieve the stored card data from the Secure Element chip. Passbook uses an iOS API to access that chip. If there's a weakness in protecting that API, then that could lead to apps being deployed to the Apple store that steal stored cards or malicious websites that use another vulnerability to gain initial access (e.g. jailbreaking techniques), then exploit the API flaw to steal card data. Or perhaps there's a way criminals could conduct fraud if they get on Apple's servers relaying transaction data. What if they managed to get the seed data used to generate the unique transaction identifiers? Lots of possibilities.

I also agree with those that state it's still more secure than using magstripe or EMV. Nothing is perfectly secure, so choosing the option with the least attack surface area makes sense. Unfortunately, most people don't care enough about security to ditch the plastic. They need some sort of gratification to change behavior.
SDiver
SDiver,
User Rank: Strategist
9/15/2014 | 12:21:13 PM
Re: The entire article falls apart at "Hopefully"
dkoobfhlbc, your comments provide no useful insight.

Yes, Apple's iCloud was breached but so has Android and Google Wallet.  In fact, name any system that is 100% foolproof so what's your beef with Apple?  Are Android users "sheeple" too or should Google be solely responsible for determining our security needs?

We have yet to see the reliability of Apple's new payment system.  Obviously, this new system will have flaws just like any other system but if you're so concerned about the "sheeple" putting their credit card numbers at risk then I invite you to:  1) please provide detailed information WHY Apple Pay is so weak; and 2) name the perfect payment system that you have obviously discovered which the rest of us have missed.
dkoobfhlbc
dkoobfhlbc,
User Rank: Apprentice
9/15/2014 | 12:36:57 PM
Re: The entire article falls apart at "Hopefully"
I'm not trying to nitpick at why Apple Pay is completely insecure. What really irks me is that NFC payment has been around for YEARS. Yes its constantly evolving and becoming better and stronger and faster and more secure. What really makes me groan is when Apple 'creates' a feature that the masses think is brand new and 'revolutionary' when they're merely taking a technology they did not invent slapping a pretty face on it and calling it their own. While this is great for the recognition of the technology a wider attack vector means it'll just be the next big thing that is hacked.

 

Furthermore - I was initially upset that the author of this article chose to use the word 'hopefully' when describing the 'greatest technology company in the world's approach to payment security. I would have much rather the author done a little more investigation and added some substance to the article to describe why Apple Pay should be adopted and why it's more secure than other NFC payment vendors.

 

Finally - nowhere in my original comment did I mention I was pro Android/ Goole or Microsoft or Blackberry or any other vendor for that matter. I did not say any other vendor is more secure or has fewer flaws than Apple - I'm just upset that Apple's wrongdoings are so quickly forgotten when they introduce something new and shiny. Why the specific Google hate? Defensive much?

Last I checked - nobody's had their identity stolen, been asked for an ID or had their credit ruined when paying in cash.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-0739
PUBLISHED: 2023-02-08
Race Condition in Switch in GitHub repository answerdev/answer prior to 1.0.4.
CVE-2023-0716
PUBLISHED: 2023-02-08
The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_edit_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke this ...
CVE-2023-0717
PUBLISHED: 2023-02-08
The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_delete_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke thi...
CVE-2023-0720
PUBLISHED: 2023-02-08
The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_folder_order function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke...
CVE-2023-0722
PUBLISHED: 2023-02-08
The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_save_state function. This makes it possible for unauthenticated attackers to invoke this function via forged...