Why was this a big deal? Well, those same lessons of identification and authentication from the 1990s telecommunications industry are just as valid today for the payment industry. Magnetic strip payment cards are like the analog cellular phones of the 1980s and 1990s. They identify themselves, but do not authenticate anything. The contactless payments, including Apple Pay, use not only strong mutual identification and authentication, but they have further advanced to using a technique called tokenization. With tokenization, the customer’s real account credentials are withheld from the merchant (the taxi driver). Even if either of my taxi drivers had been usurped by the bad guys to try to skim passengers’ credit card data, neither of them ever saw my actual credit card account information. All in a New York taxi.
My conclusion from all of this is that we are indeed making some progress, at least in pockets where observed threats are at their highest levels — in other words, New York.
Does that mean that contactless payments using tokenization are perfect? Of course not. I have the utmost confidence that someone is going to come along and find weaknesses (yes, plural) in those protocols. But all of this raises the costs to successfully attack the systems, and that is the game we all play.
All in a New York taxi.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.
Sign up for CIO Asia eNewsletters.