by Al Sacco

Security, Payments Experts Talk Apple Pay

Oct 23, 20146 mins
Consumer ElectronicsiPhoneMobile

Three security and payments industry experts discuss the pros and cons of Apple's new iPhone-based contactless payment system, Apple Pay.

You’ve likely heard that Apple took its first steps into the mobile payments industry this week with the launch of its Apple Pay NFC-based, contactless payment service.

You’ve also likely seen someone you know or follow talk/tweet/write about how easy the service is to use. If you watched the first game of the World Series (go Giants!), you probably saw at least one corny credit card commercial teasing Apple Pay. If you shop at Whole Foods, McDonald’s or any of the other 220,000 retailers that support Apple Pay today, you may have noticed big, bold signs promoting the technology as you entered the stores.

[Related: 4 Security Tips for Apple Pay Users]

What you probably haven’t seen is a lot of negativity, or even caution, around Apple Pay.

I asked three security and mobile payment experts for their thoughts on Apple Pay. Though none of the sources suggests avoiding the new technology — in fact, most says it’s more safe and secure than using your credit card — it’s obvious that Apple Pay will have far-reaching and lasting effects on the payment industry.

Apple Pay and the Payment Industry

Armando Orozco, senior malware intelligence analyst at Malwarebytes, a company that makes anti-malware software, isn’t an iPhone 6 owner and therefore isn’t an Apple Pay user, but he says the technology is a big step in the right direction for the payment industry. “I like the idea of not having to carry multiple debit/credit cards and the potential for increased transaction security. I’m a fan of eliminating the physical wallet entirely.”

Catherine Pearce, a security consultant with Neohapsis, a security and risk management consulting company, agrees. Pearce would use Apple Pay if she owned an iPhone 6, but she says Apple Pay alone isn’t enough to justify the cost of an upgrade from her iPhone 5s. (Only two Apple devices currently support Apple Pay, the iPhone 6 and iPhone 6 Plus, though the upcoming Apple Watch will also work when it’s released next year.) 

mcdonalds apple pay McDonald’s

“Mobile payments have the capability to be far more secure than mag-stripe or even chip and pin credit cards, while being more convenient,” Pearce says. “I mainly see the advantage as convenience, [but] one-time transaction tokens (like the ones used in Apple Pay) may make direct financial loss from breaches of merchants a thing of the past.”

Apple Pay uses a unique device ID number for payments instead of a credit card number. Merchants see only that device ID, not your card number, when you make a purchase, according to Apple.

While modern merchants often have access to a variety of their customers’ personal details that can be used in identity theft, Pearce says credit card numbers and checks are more attractive to thieves.

“Attackers will have a harder time monetizing stolen personal details than credit card numbers – particularly from offshore,” Pearce says. “It’s difficult to see how Apple Pay could be worse than aspects of existing payment systems, even if done terribly.” 

Apple-Only and Limited Merchant/Bank Support

Apple operates a closed ecosystem for it products, for the most part, and Apple Pay is no exception to the rule. To use it, you must have a new iPhone.

“The requirement for an Apple device is a blessing and a curse for a technology [like Apple Pay],” Pearce says. “It both guarantees a number of devices in the hands of desirable customers, possibly helping to reach critical mass for takeoff – but it also means many people who prefer Android [or another platform] will be out of luck.” 

In addition, a lack of employee training on Apple Pay at retailers could negatively affect the customer experience, according to Peter Olynick, card and payments practice lead with Carlisle & Gallagher Consulting Group, a management-technology consulting firm.

“You don’t have sufficient merchant acceptance. It’s hit or miss whether or not a random store you go into will be able to support it,” says Olynick. “Because of that, the people who work at the stores, they aren’t used to it. Training at the clerk level is not high enough.”

Apple’s closed approach could also ultimately hurt its ecosystem and stunt Apple Pay’s growth in the long run. 

[Related: How and Where to Use Apple Pay with Your iPhone 6]

“Apple Pay is dedicated to a single platform,” Olynick says. “If [Apple] really wants it to be a ubiquitous payment vehicle, its has to open it up to more devices, as opposed to only allowing Apple users to use it.” 

Pearce suggests Apple’s approach could lead to security issues as well. “While monocultures are good for fast growth, if something goes wrong in widely used technologies it can have a huge impact – as Heartbleed and Shellshock demonstrated,” Pearce says. ” If a problem is found in Apple Pay several months from now, it could affect many millions of people.”

Just as Apple Pay itself is limited to new iPhone users, it’s also restricted to a relatively small set of leading U.S. banks and financial institution.

“If you can’t, or don’t want to, have an account with one of them, then you are locked out of this secure ecosystem until, and unless, small banks and credit unions offer it,” Pearce says. 

Even the big banks place restrictions on the kinds of cards they support, resulting in fragmentation. For example, American Express supports Apple pay for personal and small business accounts, but not for its corporate cards.

Apple Pay a Significant Target for Bad Guys

Apple Pay could make iPhones more attractive to thieves, Orozco says. Users should be more conscious of security, and always use a screen lock and enable remote wipe features.

He also warns that even if Apple does everything it can to ensure security, the problems could come from the merchant’s side. “These are new technologies being rolled out, so Apple will have to keep its end secure,” Orozco says. “But there’s the other end of the transaction where vulnerabilities can also be found, whether it be in-app purchases or the software used at the register.”

Apple’s closed approach to payments could also further fragment and complicate the mobile payments space. That might not be a good thing for consumers, according to Orozco.

“Being that this is Apple, everything will be closed off,” Orozco says. “As other vendors adopt similar technology, merchants will have to continually adopt the new technologies in order to support the different methods. The more variables you add to the software, the more potential for mistakes.” 

Pearce also says Apple Pay could lead to new methods of phishing and social engineering. For example, a hacker could potentially access the iOS Passbook app, which houses the Apple Pay payment information on users’ device, and serve up false messages saying credit card information must be reentered to then steal the sensitive data. 

“The security element is great, biometric is fantastic, but I want to be careful about leveraging any new technology,” Olynick says. “Apple Pay is getting a lot of press, and the bad guys are out there working really hard trying to figure out how they can get into this.”

You can learn more about Apple Pay on the company’s iPhone 6 website.