Apple Pay went live this week. And while there has been much talk about how it might disrupt the payment system, and how easy it will be to use, security is once again being overlooked in the urgency for speed and convenience above all else.
First, there’s the obvious concern about losing your phone. Americans lose their phones once every 3.5 seconds. Apple Pay overnight raises the value of a lost iPhone, creating greater incentive for theft. We view this concern as similar to the concern over losing your credit card, but with the added risk that the thief now also could have access to your email address and your method of two-factor authentication for many services, making it easier to not only commit simple fraud but also to more completely impersonate the victim. While you do have the option of using “find my phone” and shutting it down, this is not always instantaneous.
Second, and probably the bigger concern, is that the authentication mechanisms for validating cards is unclear. Apple seemed to have focused on security payment mechanisms such as tokenization and fingerprint (which we believe are solid steps). But payment can only be as secure as the authentication, which starts with registering cards to an account as well as granting access to a particular account.
Apple has not yet disclosed how they will authenticate cards before allowing their use. Without the proper authentication mechanisms, Apple may have just made it far easier for criminals to counterfeit credit cards for the black market. Now you don’t need a physical card to make a purchase in person. You can simply take a picture of numbers superimposed (or photoshopped) on a card and run with it.
And third, users add credit cards to their iPhones by taking pictures of them. As Jennifer Lawrence and others can attest to, Apple’s ability to securely store and transmit those photos remains in question. Depending on how they are being stored and transmitted, it would not be surprising to see malware developed around this mechanism.
False sense of security – likely less fraud initially
We predict that banks and financial institutions are likely to see less fraud initially, providing a false sense of security. This is because hackers need time to do their research on the system, to uncover vulnerabilities, and then to write code to exploit those vulnerabilities in the most undetectable way possible. There is a learning curve for everybody – merchant, consumer and hacker. With such an attractive, potentially lucrative target at stake, it is only a matter of time before these systems are found to be vulnerable. The question is, who will find the vulnerability first, and how serious will that vulnerability be?
We recommend that both individuals and financial services firms continue to adopt a multilayered security strategy. For individuals, this means enabling as many security mechanisms as the vendor provides. For financial services firms, this includes continued monitoring of black-market and card-not-present transactions. We predict that banks will also start paying more attention to “device health”, as visibility into the status of a device, potentially malicious apps running on it, etc. is going to be more important going forward.
While we don’t see most consumers throwing away their wallets yet (only 1% of retailers support it today, and you can only leverage it on an iPhone 6), we do believe financial institutions should be thinking about steps to protect themselves and their customers from the new fraud schemes that are sure to emerge.
By Damien Hugoo, Product Manager, Easy Solutions
About Easy Solutions
Easy Solutions a security vendor focused on the comprehensive detection and prevention of electronic fraud across all devices, channels and clouds. Our products range from fraud intelligence and secure browsing to multi-factor authentication and transaction anomaly detection, offering a one-stop shop for end-to-end fraud protection. The online activities of over 60 million customers at 220 leading financial services companies, security firms, retailers, airlines and other entities in the US and abroad are protected by Easy Solutions Total Fraud Protection® platform.