Is Apple Pay safe? Are there any known security issues? With this week's release of iOS 8.1, came also the launch of the Apple Pay system – a new NFC payment system that allows users to make purchases in stores, online and through apps with just the press of a finger on the Touch ID. While many users are excited about the ease of payment now available on iPhone 6 and above running iOS 8.1, it does come with some reservations by those within the security community. After all, with the introduction of the Apple Pay system, users can now easily authorize large purchases amounting hundreds or even thousands of dollars with a simple touch.
Are there negative implications for such powerful authorization ability? What are the weaknesses in such a system, and how might they be exploited by neer-do-wells?
In a presentation at HITB Malaysia 2014, Marc Rogers, long-time threat intelligence expert and current Principal Security Researcher at Lookout Mobile Security, expounded upon the possible security issues that could arise with the integration of Apple Pay and the Touch ID, while offering possible solutions for making the system more secure.
To begin with, Apple Pay is, for all intents and purposes, pretty secure. Short of someone stealing your fingerprint and making a mold of it to hack into your device or manipulating your finger while you are asleep, there’s not much chance that your fingerprint will be used against you by the everyday crook on the street. Only through a targeted attack -- like a stalker who might take your fingerprint and create a mold of it, or police authorities that might require you by duress to “thumb” in to your device -- would the security of your Touch ID be compromised. Therefore, you are reasonably safe from the common thief when it comes to using Touch ID to secure your device.
But when it comes to using Touch ID as a method of authorizing payment in Apple Pay, however, this is where problems can arise, says Rogers.
“TouchID is secure enough for things like keeping casual intruders out of your phone or foiling phone thieves, but it faces a whole different set of challenges when it comes to payments, because, while it can show the presence of the owner, it doesn’t tell you what their intent was," he said. "It doesn’t tell you whether that fingerprint was used to unlock the phone or if they were doing it to make a payment. And it doesn’t tell you if they were being forced to do it. Those things have to be taken into account when you look into the different risk factors for different types of transactions.”
Rogers explained that there are still too many unknowns regarding Apple Pay's use of Touch ID.
“Apple Pay is going to use Touch ID to authorize transactions. And we don’t know exactly what this is going to look like yet, but we suspect it’s going to be something like the process for the merchant store where on the very first purchase you have to enter your code, but then once you’ve done that you go into a window asking to authorize a payment with just the touch of your finger," he said. "That’s fine, however, that security is not adequate for anything other than low dollar transactions because, honestly, it isn’t all that hard for me to intercept somebody and force them to touch their phone.”
To that Rogers added, “Using the same process for unlocking ones phone to authorize payments, to close windows or to go to the homescreen is a bad idea,” said Rogers. “You want different processes for some of these things – or at least different fingers.”
Rogers then went on to share a scenario that could easily become a way for toll fraud attackers to force users to authorize payments without being aware that they were doing it.
“Consider this scenario. Say you authorize a transaction for $500, and then up pops a really annoying screen -- maybe some kind of advert with pornography or other annoying content. What are you going to do as soon as that pops up? You’re gonna press with your finger or thumb to make it go away. Well, that’s exactly the same process you used to authorize a payment. So if you do the two at the same time, you’ll make the annoying advert go away but you might also be authorizing another payment.”
“When someone attempts to make a premium SMS charge … processing the transaction can take up to 30 days … but when you pay with a credit card, that payment is almost instantaneous and the only recourse is a retroactive charge back. That’s bad,” says Rogers. “That means we now have a quick fraud method which can be used for much larger sums of money.”
In sharing the possible risks that could occur with the use of Touch ID for authorizing Apple Pay transactions, Rogers also offered some solutions Apple could implement to make the payment system more secure.
“We have the opportunity to make these things more secure … now that we’re moving from the credit cards to the thumb, it seems like we’re bringing in a bunch of potential issues. But there are ways Apple can address this. I would like to see user-configured time outs so as to solve the problem of me using my sleeping spouse’s fingerprint. I would like to see her have the ability to set a time-out of say two hours or 30 minutes or when the “do not disturb” icon is on so that it will disable the Touch ID and force the entry of a pincode. At that point, nobody can passably use your finger on the Touch ID. It would take the police more than 30 minutes to create a fake fingerprint to use against your phone."
As for potential in app purchase issues, Rogers offered this solution.
“For any payment over $50, you should be asked to enter a 4-digit pin as well as touching your finger. Of course it’s not completely fool proof, but it’s a step in the right direction,” said Rogers.
To view the slides from Rogers presentation called “Giving Apple Pay The Finger”, click here.
