Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Apple outsmarts the thieves

Evan Schuman | Sept. 24, 2014
The Apple Pay approach to mobile payment turns the security conundrum upside down by keeping data out of thief-magnet servers

arrest
Credit: Abu Badali via Wikimedia Commons

Security is not always about creating a stronger deadbolt or a more protective firewall. Sometimes it's about understanding what motivates potential attackers and using that knowledge to make your valuables look less attractive, either directly or by comparison. It's this more sophisticated approach that Apple is using with its newest devices and software.

If you wanted to secure a house, these psychological tactics might include leaving an old wreck of a car in the driveway, which would suggest that there's little of value to be found in the house. Or you might volunteer to help spruce up your neighbor's house, making it look like a more profitable theft target than yours. (Hey, I didn't say that these were necessarily ethical examples.)

In enterprise IT, the idea is the same. Protecting your content against a brute-force attack is essential, but doing what you can to make thieves look elsewhere is potentially an even better strategy. When Apple introduced Apple Pay this month, it demonstrated an understanding of both tactics.

Apple Pay does something that turns the security conundrum upside down. The problem has been that enterprises, as self-centered profit seekers, are uninterested in spending a lot of money to improve security for all or to shut down gangs of cyberthieves. All they want to do is make the thieves stop attacking them. If Apple Pay and other payment systems using the same model become widely adopted, that would become less of an issue, because enterprises would look like less appealing targets. (More on this later.)

Something else that Apple did, perhaps only as a way to improve usability, also boosts security. With every earlier NFC payment app, the shopper had to start the process by launching that app. To speed things along, Apple bypassed that step and allowed Apple Pay to do its magic solely by proximity to the signal and by the shopper putting a finger on the phone's biometric scanner. That is certainly faster and easier, but that fingerprint scan is also more secure than the traditional use of a signature or a PIN. Yes, I know that the fingerprint reader is full of security holes — there are various methods for copying a fingerprint from a stolen phone and using it to trick the scanner into authenticating incorrectly — but despite that, it is an order of magnitude more secure than signature and PIN. (It should be noted that Apple has paid attention to the criticism. The latest version of its biometric scan makes better use of methods for detecting live tissue.)

Let's not attack Apple's fingerprint scanner for being less than perfectly secure when signatures offer pretty much zero protection, and PIN has plenty of problems of its own. Cashiers are hardly experts in handwriting recognition, and in any case it's been decades since retailers urged them to compare signatures with the one on the card. And most PIN deployments in the U.S. — including Apple's default — are four digits, which is woefully inadequate. It is quite weak for online usage, given the relative ease of cracking a four-digit code, and it's far from foolproof in-store, where the criminal technique of shoulder surfing is common — the thief just looks over someone's shoulder and learns the PIN by watching it get entered.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.