Can the iPhone 6 and Apple Pay Fix Online Credit Card Fraud and Data Breaches?

Here at ThatChuckWilliams.com, I've written several times about data security and online credit card fraud:

Last week, one of my credit cards needed to be cancelled and reissued because several thousand dollars of fraudulent purchases were made in Central America at the exact same time that I was leaving a trail of daily purchases (coffee, lunch, etc.) in London, where my wife and I are fortunate to be spending some time with family.

So, I was professionally and personally interested in Apple's announcement of its new Apple Pay mobile payments system. We'll see what happens in practice, but at this point I'm convinced that this will be a major step forward. Here's why:

  • Quicker transactions - Put your thumb on the TouchID device (the fingerprint reader built into the iPhone 6) and place your iPhone next to a Near Field Communication (NFC) device. The transaction happens without opening an App and your phone vibrates to indicate the purchase was made. This also works in Apps when you're shopping online.
  • TouchID = 2 Factor Authentication - Two factor authentication provides more security because it requires two methods of authenticating that you’re you. First, it requires something you know, such as a password or PIN number. Second, it requires additional information that can only be obtained from something in your possession, thus thwarting hackers. Usually, the second piece of information is a code texted to your phone or obtained from something like Google’s Authenticator App that generates random codes, good for 60 seconds. You can set up various accounts (i.e., gmail, twitter, etc.) to use Authenticator. Again, because these codes can only be obtained from your phone which is in your possession, it’s very difficult to hack two factor authenticated accounts. With Apple Pay, TouchID serves as the unique in-your-possession identifier because it authenticates your fingerprints everytime you make a purchase. And since your TouchID fingerprint information is also not stored online, that, too, is difficult to hack.
  • Your credit card number and personal information are never shared during a transaction - Each credit card stored on your iPhone 6 is assigned what Apple calls a unique Device Account Number (DAN) encrypted in a “Secure Element” chip, which is separate from the main A8 processor that runs apps and data. You know your credit card information. Your bank does. But Apple and anyone else you pay with Apple’s mobile pay system won’t. Apple and retailers will only see the DAN and a transaction specific dynamic security code.
  • Transaction Specific Dynamic Security Codes - Ok, so what’s this? Well, besides the DAN which stands in for your credit card number (if the DAN is swiped, it won’t do hackers any good), each transaction is accompanied by what Apple calls a transaction specific dynamic security code.
    • Transaction specific means that it’s only used once. Dynamic means that it’s different each time. So the code used to buy your latte in the morning will be different than the code used when you buy your sandwich at lunch. (This is also called tokenization. It’s not new. But Apple is using tokenization in newer, more secure ways.)
    • The security code, as best as I can tell, is encrypted, and, like the codes in two-factor authentication, are only good for a short time, say, 60 seconds. So, really, between TouchID and the transaction specific dynamic security code, Apple is using two factor authentication twice for each transaction.
  • No Need to Store Your Personal Information Online Because it’s such a hassle to enter personal and credit card information each time we purchase something online, most of us store that information with our most frequently used retailers. But with a DAN representing your credit card number, you no longer need to store your credit card and personal information online. And, since Apple doesn’t have that information either, hackers can’t break into retailers’ servers or Apple’s to steal your information.
  • Apple doesn’t know (or care) what you’re buying - Unlike Google Wallet, Apple Pay does NOT track what you’re buying. Your phone and the DAN, the NFC scanner at the retailer, and your bank are involved with each transaction. Apple is not. In what can only be interpreted as a dig at Google, Apple CEO Tim Cook said, “Our business is not based on having information about you. You’re not our product. I think everyone has to ask, how do companies make their money? Follow the money. And if they’re making money mainly by collecting gobs of personal data, I think you have a right to be worried.” Apple’s emphasis on data privacy is one of the reasons that I left the PC world 3 years ago. It’s why everything I have, save for my networked attached storage device, is made by Apple.

What are the weak links?

  • Your bank - Well, if there is one, it’s probably at your bank where your DAN and your credit card are paired together. So Hackers would have to get into a bank’s systems - which they’ve done before - to get this information. Hackers could still use your credit card and personal information outside of the Apple Pay environment, so activate account alerts to report your credit card activity. Mine is set up to send a text everytime my credit card is charged. This is nearly instanteous, even when I’m travelling abroad.
  • Stolen or lost phones - Apple’s TouchID is pretty secure, but has reportedly been hacked with fake fingerprints. This is not an easy hack and is probably a small risk. That is, unless, someone cuts off your finger when they steal your phone! But, if you’ve got two factor authentication turned on, you can wipe the phone remotely, rendering it useless.

If you want to dig further into the details, I recommend these articles: