Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Experts: Don't use Apple Pay, CurrentC until crooks get a shot at them

Tim Greene | Nov. 6, 2014
Despite designers’ diligence, these payment systems haven’t been tested by real-world criminals

apple ipay

While major retailers hem and haw about whether to use Apple Pay vs CurrentC, security experts say those concerned about their safeguarding their credit data might be wise to hold off using either of the payment systems until they've really been vetted for vulnerabilities.

"The bottom line is they're about as safe as your debit card is now," says Jason Polancich, chief architect at SurfWatch Labs, about these near-field communications (NFC) systems that let smartphones authenticate users and act as credit cards.

Because some mobile payment systems like Apple Pay are brand new CurrentC isn't even generally deployed yet their security hasn't been tested much by the concerted efforts of attackers. "The criminals haven't had the chance to catch up yet," Polancich says.

But that will happen, says Marc Maiffret, CTO of BeyondTrust. "Surely Apple themselves have invested a lot of energy into securing Apple Pay, but as we have seen with previous technology releases, that does not mean they will have found everything."

He points to an earlier example of Apple putting forth a new technology fingerprint ID -- only to have it cracked soon after. "Surely Apple put some effort into securing that, but it was the security community that within a few weeks/months came to show how secure it was or not," he says.

In the case of CurrentC, attackers have already stolen email addresses of some participants in its trial program.

But, architecturally at least, Apple Pay and other mobile payment systems seem more secure than payment cards, says Ryan Olson, director of Unit 42, the Palo Alto Networks threat intelligence team. "The existing magnetic stripe system used for most in-store payments in the U.S. is much more vulnerable to theft and duplication than either Apple Pay or Google Wallet," he says. "As both systems use one-time identifiers for each payment and encrypt NFC communications, it's going to be much harder for an attacker to take advantage of these transactions."

There are plenty of places attackers will probe for weaknesses to exploit, Olson says. For example, attackers could go after the point-of-sale systems stores use to accept mobile payments in addition to the phones themselves, he says. Backend systems could also be hacked, but none of it is easy. "All three of these are more challenging to crack than the current POS systems we've seen in the headlines in the last year," he says.

Attackers could go after the fingerprint readers used for authentication on iPhones, says Tom Gorup, security operations center manager at Rook Security. So if a phone is stolen, an attacker could lift prints from it to defeat the print scanner, he says. "This attack can be completed simply with a laser printer, latex and some wood glue," he says.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.