A Comprehensive Outline of the Security Behind Apple Pay

[MacRumors]

Apple has described its new Apple Pay payments service, which is designed to be the first step towards the company's goal of replacing the wallet, as "easy, secure, and private." Apple Pay includes several different features that offer customers much greater security than a traditional credit card, including Device Account Numbers that replace credit card numbers, dynamic security codes for each transaction, and biometric payment verification through the use of Touch ID.

Ahead of the release of Apple Pay, TUAW's Yoni Heisler has taken an in-depth look at the security features built into the payments service, outlining the ways Apple is safeguarding customer information.

While Apple Pay is built on existing NFC technology, Heisler's research suggests it is the first implementation of the EMVCo tokenization specification, a newly introduced security framework designed to cover emerging payment methods. According to former credit card executive Tom Noyes, this specification is "the most secure payments scheme on the planet."

As previously rumored, Apple Pay utilizes a "token," which the company refers to as a Device Account Number, to replace a user's existing credit card number on the iPhone. A randomized 16-digit number, the Device Account Number ensures that no merchant is able to obtain a user's credit card number, protecting consumers from retail security breaches, as TUAW points out, because tokens are randomized numbers that cannot be decrypted back into a credit card number.

Device Account Numbers, or tokens, are paired with a dynamically generated one-time use code that replaces the credit card's CCV with every transaction.

Providing an additional layer of security, an Apple Pay-equipped iPhone at the time of each transaction also sends a dynamically generated CVV up the chain along with a cryptogram. The CVV is the three-digit string located on the back of your credit card and, in the case of Apple Pay, is a algorithmically-generated dynamic string that's tied directly to the token. The cryptogram itself "uniquely identifies the device" that created the token and, according to the EMV Payment Spec, is likely composed of encrypted data sourced from the token, the device itself, and transaction data. Note, though, that the precise components of the Apple Pay cryptogram aren't publicly known.

As noted by Heisler, a Device Account Number can't be used in a transaction without an accompanying one-time use cryptogram, which verifies that the "token in transit originated from the device being used." Cryptograms also carry transaction information like the merchant's identity and the amount of money being charged.

The transaction comprising the Device Account Number and accompanying cryptogram is further verified through the use of Touch ID, which essentially replaces insecure verification methods like passwords and PINs.

According to a credit card executive who spoke to TUAW, token transactions as implemented by Apple "are a new and much higher standard of security for electronic payments."

The amount of security built into provisioning tokens and supporting transactions is a new standard that I think will definitely shift fraud patterns going forward.

Apple Pay is expected to go live in October, enabled through an update to iOS 8. Hints of Apple Pay have already been found in the iOS 8.1 beta, which was seeded to developers on Monday. TUAW's full look at the security behind Apple Pay, which covers tokens, Touch ID, and more, is well worth a read.

Article Link: A Comprehensive Outline of the Security Behind Apple Pay

 

[gri]

A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?

 

[A MacBook lover]

Apple pay will be the best thing since 8.0.2

 

[taptic]

Apple: setting the example of security and privacy for Google and the NSA since forever.

 

[GeneralChang]

Security is good, and this sounds like good security. I'm still a little bummed that you have to buy a 6 to use it.

 

[infiniteentropy]

Security is good, and this sounds like good security. I'm still a little bummed that you have to buy a 6 to use it.

Or you can buy an Apple Watch

 

[Komrad808]

The beginning of a "Cashless Society" is approaching.

 

[GeneralChang]

A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?

You mean that convoluted system that required a perfect copy of the persons fingerprint and something like four hours of fabrication? I wouldn't really call that "hacked." By the time they got a dummy fingerprint made up, I'd have realized my phone was missing and locked it via iCloud.

 

[TouchMint.com]

/confused... But I think that's a good thing haha

 

[taptic]

A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?

The chances of their being a psycho that starts shooting people in public are probably higher than a psyhco chopping peoples fingers off to shop with at CVS.

And no, people replicated someones fingerprint, but they need to have the original and a lot of time and patience. It's not much of a hack really...

 

[vpndev]

Gw

And for all the Google Wallet fans out there, tokenization is a key differentiator between Apple Pay and Google Wallet.

So please lay off the comments saying that you've been using this for years. You haven't.

However I don't expect that Google will dawdle with incorporation of tokenization (which is an EMV standard - by no means exclusive to Apple). A decent fingerprint reader might take longer.

 

[jav6454]

People thinking this will get rid of cash are delusional (that or drink too much Apple Kool-Aide). Apple Pay is just a convenience, not a currency replacer.

 

[SchneiderMan]

I feel safer already.

 

[DudeDad]

A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?

Yes, but it requires a near perfect print, and a lot of work to make the "finger" to be scanned. By that time, a prudent iPhone owner has wiped the phone remotely.

Then again....

 

[GeneralChang]

Or you can buy an Apple Watch

I've been wondering about that. Do we know if it'll work on the Watch if you don't have it tied to a 6? I know the watch has NFC built in, but I thought there was a component of the security system that had to be on the phone.

Or is this just another utilization of the 5s "secure enclave" for fingerprint storage? Because I've got a 5s and I'll tell you what, if that combination will work with Apple Pay, that alone will sell me the watch.

 

[Exhale]

And for all the Google Wallet fans out there, tokenization is a key differentiator between Apple Pay and Google Wallet.

Sorry, Tokenisation is already standard practice outside the US - its one of the definition features of Chip cards.

 

[Diode]

People thinking this will get rid of cash are delusional (that or drink too much Apple Kool-Aide). Apple Pay is just a convenience, not a currency replacer.

Replacing cash - no - replacing carrying your credit cards - hopefully.

 

[vpndev]

No

A matter of time until someone's finger is hacked off? And, didn't they already hack the touch-ID system?

As a practical matter, NO. There is laboratory-style exploit but it is not practical in the real world, as the researcher freely admits. The first issue is that it takes quite a bit of time and a lot of specialized equipment. But we must assume that at least dome of the bad guys have that.

The bigger issue is that you have only FIVE tries to get it right. And he admits that it's unrealistic to get it right within five.

So -
theory: 1
practice: 0

 

[Bahroo]

Like I was saying all along(not necessarily on here lol). Apple is going to revolutionize mobile payment, late to the party, but IS the party, I kept telling everyone they are going to use the best and most advanced tokenization technology around, with other security layers on top of that, this is actually trans formative to and for the industry.

 

[mrjr101]

Security is good, and this sounds like good security. I'm still a little bummed that you have to buy a 6 to use it.

3 letters why you have to: NFC.

 

[Daveoc64]

Apple: setting the example of security and privacy for Google and the NSA since forever.

Sorry, Tokenisation is already standard practice outside the US - its one of the definition features of Chip cards. Similarily, Google Wallet doesn't grant the merchant access to your CC number either.

Exactly! No portion of this is particularly "new", nor does it offer end users any real security benefits.

If you have a non-US issued contactless credit/debit card you have very similar technology in your wallet already.

 

[Sasparilla]

Sounds impressive, but I'll let this coming release get out and "live" for a while before I apply and use the ApplePay part...

Apple's software QA lately has not been confidence building (which they really need for this).

 

[infiniteentropy]

I've been wondering about that. Do we know if it'll work on the Watch if you don't have it tied to a 6? I know the watch has NFC built in, but I thought there was a component of the security system that had to be on the phone.

Or is this just another utilization of the 5s "secure enclave" for fingerprint storage? Because I've got a 5s and I'll tell you what, if that combination will work with Apple Pay, that alone will sell me the watch.

As far as I can tell from reading a ton about it - I was going to just buy a Watch in order to do Apple Pay and not the 6 Plus but then I caved - it is indeed the case that an Apple Watch plus a 5S will enable Apple Pay, which implies that the Apple Watch has an NFC chip in it as well.

 

[GeneralChang]

People thinking this will get rid of cash are delusional (that or drink too much Apple Kool-Aide). Apple Pay is just a convenience, not a currency replacer.

I don't think anybody is saying this will replace currency. I mean, they're not trying to get people to use Apple Bucks, or something stupid like that.

For me, however, there's a good chance it'll replace my credit cards. And while you're right, that's just a convenience thing, I don't carry cash. So that would replace my wallet. So Apple's claim is pretty on the nose for my personal use case.

Now if I could just get it to replace my drivers license.

 

[ptb42]

Let's get this out of the way now...

No, a merchant doesn't have to sign up for pay. All of this is done on the back-end, by the credit card processing networks and the card-issuing banks.

If a merchant supports contactless card payments (PayWave, ExpressPay, PayPass), they can accept payments from your iPhone 6.

Merchants have to replace their point-of-sale terminals before 10/2015 anyway, if they haven't already done so. If their terminal doesn't accept EMV chip cards, the merchant will assume liability for fraudulent transactions.

The only determining factor is whether a merchant chooses to spend a bit extra money to add the NFC option to their point-of-sale terminal.

I'm tired of all the people complaining about "deficiencies" in pay, when they clearly don't even know how it is being implemented. Go read the referenced article, if you don't yet get it.