Security News

Leave your credit cards at home; Apple Pay lets you buy things with your phone

Deborah Salmi, 11 September 2014

Leave your credit cards at home; Apple Pay lets you buy things with your phone

source: CNET.com

In the wake of the Target, and now Home Depot, security breaches, Apple Pay wants to provide a safer way to make a purchase.

Nestled in-between this week’s announcements of the iPhone 6 and the Apple Watch, Apple CEO Tim Cook announced a new mobile payment system called Apple Pay. New iPhone and Apple Watch owners can leave their credit and debit cards at home because the devices come with a chip that lets them tap-to-pay at major retailers.

When you are in one of 220,000 participating stores, like McDonald’s, Walgreens, Disney, or Macy’s, you use the magic of near-field communication (NFC) to hold your phone by a terminal to pay. It also requires that you place your finger over a sensor to verify your fingerprint. The Apple Watch works the same way, without the added security of the fingerprint, and syncs to your iPhone 5, iPhone 5c, and iPhone 5s. The payment system will work with American Express, Mastercard, and Visa.

Sounds pretty good. But, Google Wallet, PayPal and other NFC systems have failed to really take off; will Apple give us a better way? I asked mobile malware analyst Filip Chytrý to share his thoughts about the security of Apple Pay.

Deborah: From a security perspective, what do you think about Apple Pay?

Filip: I have some concerns. Communications between your device or watch is through Bluetooth, and we have already seen many incidences of intercepted communication between two devices using a man-in-the-middle attack. Generally, anytime you use a pay system there is communication between the phone or watch over Bluetooth. This communication works over a much longer distance than NFC, so payment interception would be easier.

Deborah: I understand the convenience of paying with Apple Pay, but how is this more secure than paying with a credit card?

Filip: Apple says, that “Each transaction is authorized with a one-time unique number, and instead of using the security code from the back of your card, Apple Pay creates a “dynamic security code” to securely validate each transaction.“ It really depends on the type of encryption which is used, but I have to admit this sounds pretty cool, but who knows how long it's going to take to decrypt this system.

Deborah: It has to be better than the magnetic stripe cards that are still widely used in the USA. Credit card companies have given their customers until 2015 to make the transition to EMV cards using smartchip technology. These cards are supposed to help increase security and reduce fraud. Isn't that good enough?

Filip: Generally, Apple Pay sounds like it is better secured than the current magnetic stripe cards. NFC payments are just tags which can be easily copied, but magnetic stripes are even worse. A PIN number adds an extra layer which is good, but Apple Pay might provide an even better way in future.

Deborah: Other than the basic security concerns, what happens when your phone battery dies (this will happen to me when I am on a deserted rural highway and need to fill up with gas) or you spill your coffee on it before you can pay, or you break your finger and it’s in a cast?

Filip: Those are real world problems that can't be solved by Apple. ;) But you're an Android user, right? Didn't you have a Nexus 4?

Deborah: Yes, I did. Until I accidentally went in the swimming pool with it. :(

Filip: Not even avast! Mobile Security can protect you from that! But still, you will find this hilarious.

Read more about Apple Pay.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter, Google+ and Instagram. Business owners – check out our business products.