Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Known NFC spoofing techniques probably wouldn't work with Apple Pay

John Brandon | Oct. 21, 2014
Security experts admitted that Apple's use of one-time-use tokens instead of your actual credit card information would render hacks due to NFC vulnerabilities pretty toothless.

iphone 6 home button touch id
ROB SHULTZ. Stolen data won't tie to your credit card number, and a stolen phone can't be used for Apple Pay without also fooling the Touch ID authentication.

Another security analyst said NFC spoofing is possible. Jeff Williams, CTO of Contrast Security, a Web application security provider, says that a widely available reader using the Arduino microcontroller can intercept NFC signals from a meter away or more. He says several exploits for NFC in smartphones have been found.

Tokens, not account numbers
Still, even if a hacker could snag your transaction data as it passes from your iPhone to the terminal, they'd get a single-use token with nothing to identify you by name. Connecting that to the credit cards stored securely by Apple might not be impossible, but the experts we spoke to agree that it's a lot harder than just stealing some credit card numbers.

Narang points out that Apple Pay uses an account code that refers to a credit card number not stored on the phone, so the hacker would only obtain a useless account number. This "tokenization" is one of the strengths of the new Apple Pay system and intended to dissuade hackers.

Williams agrees that stolen Apple Pay data would likely be useless. "The use of one-time tokens instead of revealing actual credit card information has the potential to make these intercepted signals useless to attackers. The use of Apple's fingerprint Touch ID technology adds another layer of authentication to the mix, potentially further frustrating attacks," he says.

Hoyos is a little more uncertain. He claims that it's possible for hackers to correlate spoofed account tokens to credit card data stored on Apple's actual servers, and points to the recent breach of celebrity photos from iCloud backups as precedent. (But the two situations aren't comparable, and Apple hasn't had credit card accounts stolen before.) Hoyos even claims that it's possible to purchase a mylar replication of a fingerprint, then use it with Touch ID to complete transactions--but of course that would require stealing the phone and getting a fingerprint, and the whole plan is foiled as soon as the person you stole the phone from deactivates it as an Apple Pay device using Find My iPhone.

Apple did not respond on the record to inquiries about Apple Pay security but did point to online documentation for Apple Pay that explains the tokenization process. Apple Pay launches Monday in the United States with the release of iOS 8.1.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.