The details on the new upcoming iPhone 6 and Apple Watch were announced yesterday. Both devices will be equipped with Apple’s new contactless mobile payment system – Apple Pay.
Apple Pay enables phone payments at points-of-sale without sharing credit card information with the retailer. The new system cannot block malware attacks on point-of-sale terminals, but it can make the information on them less worthy to the attackers. The responsibility for the payment safety will be shifted mostly to Apple, ant not to the retailers.
Would You Like to Play with Apple Pay?
Instead of paying with his credit card, the user is presented with the opportunity to make all his purchases via his mobile device. The transaction can be completed with the help of the Secure element (a chip in iPhone and Apple Watch) where a unique Account Number is encrypted and stored. This number is not recorded on Apple servers. So, even if hackers compromise either of the company’s servers, the user’s data will still be safe.
Every payment made by the user is processed through the Device Account Number and a transaction-specific security code. This is what turns the user’s mobile device into a “mobile wallet.” No credit or debit card details are ever shared with retailers or transmitted with the payment. Instead of providing credit card and PIN number for the authentication of the payment, the user only needs to authenticate to his Apple device. The user can rely on the protection of his data via password and fingerprint, what automatically makes the mobile device more important to the user than a PoS terminal. In case the device is stolen or broken, all the data on it can be erased via remote data wipe.
If a store’s PoS terminal is compromised by hackers, all they can get their hands on will be the one-time tokens from Apple Pay. And although those tokens probably cannot be spoofed, let’s keep in mind that hackers hardly ever give up easily. It is possible that in future cyber criminals will create malware that compromises the entire mobile device, along with the fingerprint.
Switching from Magnetic Stripe to NFC chips
Although the NFC (Near Field Communication) is considered a huge security improvement to the magnetic stripe, the problem with malware that attacks point-of-sale systems remains. After all, it might be a different channel, but the user’s data is still transferred into a PoS terminal. The Senior Director of Compliance at Bit9,Chris Strand, reminds that although the customers are the ones facing the transaction, retailers should not get distracted from securing the back-end. Distractions are all hackers are waiting for.
The more important announcement, according to the vice-president of corporate communications for VASCO, John Gunn, was when Tim Cook announced that Apple will broaden it’s use of two-factor authentication and encourage people to it turn on. The most powerful company in the industry endorsing the two-factor authentication with a strong statement like this, can only mean good news for the users and bad news for the cyber criminals.