Apple Pay’s Security Leaves Hackers Looking for New Attack Strategies
Apple Pay launched in the United States last year and in the UK yesterday. The mobile payments service has yet to be successfully attacked by a malicious entity.
Business Insider talked to security firm FireEye’s CTO Grady Summers about this, and he says that there are three key reasons for Apple’s success.
1. Apple Pay doesn’t store its user’s card information.
2. Apple Pay encrypts data being sent during transactions.
3. Apple Pay lets users protect payments using their iPhone’s Touch ID fingerprint scanner.
The first two reasons stop hackers from recycling any old tricks that they’ve used in the past to steal credit card information from PoS systems in retail stores. In a statement, he explained:
“Apple Pay is unique in that the user’s credit card number itself is never transmitted in an Apple Pay transaction. Rather than sending credit card information, a phone using Apple Pay will send a unique code for the device, along with an ID for the transaction itself. With no card data being stored, the techniques that attackers have traditionally used to steal credit cards from merchants will no longer be effective.”
Apple’s use of Touch ID makes it even more challenging for hackers, because even if they have physical access to the device, there is still a layer of security blocking them from accessing any sensitive information. Summers said that in order to beat Apple Pay’s security, hackers will have to create new attack strategies.
“The unique codes that Apple Pay sends can only be used once — so even if an attacker were to steal it, they couldn’t do anything else with it. Think of it as providing a ticket for a movie or concert — when you hand your ticket to the usher it is usually ripped in half, making it a ‘one time ticket’ vs credit card numbers that can be reused again.”
However, he believes that hackers aren’t likely to target Apple Pay in the near future. The upfront cost required to target Apple Pay will put off most hackers.
“The key question is whether attackers will bother. Our experience shows that attackers will take the path of least resistance. As long as there are merchants who still accept legacy payment methods, I’d expect the attacks to focus on these merchants.
Return on Investment (RoI) is key to whether they [hackers] will carry out an attack on Apple Pay because there is no point in spending time trying to break the system or stealing credit card details if the effort is not covered by the pay-out.”
Apple’s investment into Apple Pay’s security and the Touch ID sensor seem to have paid off for the company.