What security experts think about Apple Pay

Apple announced Apple Pay, a new category of service that works with iPhone 6 and iPhone 6 Plus through a NFC antenna design, a dedicated chip called the Secure Element, and the security and convenience of Touch ID.

Apple Pay supports credit and debit cards from the three major payment networks, American Express, MasterCard and Visa, issued by the most popular banks including Bank of America, Capital One Bank, Chase, Citi and Wells Fargo.

Below are some of the comments that Help Net Security received from the security community.

Brian Honan, CEO of BH Consulting and Special Advisor to Europol Cybercrime Centre

Apple pay is nothing dramatically new. Many other solutions are already in place to support payments over NFC. However, what Apple brings to the party is their ability to popularize the use of technology through the way they make the user experience a pleasurable one.

With Apple stepping into the NFC payments game we will see a large increase in the people using it. This of course will lead to security and privacy concerns, not only in potential vulnerabilities in the technology itself and how criminals can exploit them. But also in how users may not secure their devices, and therefore their electronic wallets, properly.

The recent iCloud hack where many celebrities personal data were exposed highlights how far we still have to go in educating users to implement even the most basic of security measures. It also highlighted a number of concerns at Apple’s ability to protect large amounts of personal data stored on its services. Overall though I believe that Apple’s foray into this area is a welcome one and will help improve the security of not just NFC payments but perhaps the whole area of electronic payments.

Per Thorsheim, Independent Information Security Advisor, founder of PasswordsCon

This is a game changer for mobile payments, no doubt. However this could also be a game changer in so many other ways, including security.

With mobile contactless NFC payments, the traditional card skimmers will disappear. Chip + Pin attacks (re: Cambridge research, not stolen card + pin), if they do exist in the wild, will also disappear. Contactless means less moving parts, higher speed to conduct transactions, maybe less onsite physical maintenance. There are many upsides to this, and I really like the privacy added to this; I won’t have to show my card details, including name, DOB and picture to whoever serves me.

On the downside we are *really* collecting a lot of eggs in the same basket here. A financial ecosystem that – for the time being – will be very dependent on a single commercial US based company, a technology that is still very new (but already has its documented flaws and weaknesses). We don’t know yet of country- or bank specific payment solutions may die (like betamax vs VHS), in favor of a less secure solution, but I would be surprised if David has any chance against Goliat in this fight.

Laws & regulations, like EU vs US, or country specific consumer rights could also affect how and where and when solutions like this will get implemented, if ever.

For you as the consumer I’m pretty sure you won’t turn NFC on and off whenever you actually need it. It will be on all the time. Until I see the entire process of performing a purchase using this solution, the receipt I get etc, I will still be skeptical. Norwegian banks currently says NFC payments are just a few weeks away (for Android…), but transaction limit will be NOK 200 (approx. USD 35). There’s a reason for that, its called risk analysis. The financial Supervisory Authority of Norway expressed concerns about the growth of mobile banking & -payments a year ago. I just assume they will be even more concerned now.

Anthony Duffy, Director, Retail Banking, Fujitsu UK & Ireland

With the launch of the iPhone 6 and its payment capability, Apple has once again sent out a challenge to the industry – and this time it has the payments market in its sights. This sector, already undergoing massive evolution as Internet and mobile payments take hold and new providers target perceived opportunities, will be revolutionized if Apple’s mobile wallet grabs the public attention.

At a time when many in the market are moving towards biometric for payments, Apple’s decision to go for NFC – a technology that up until now has struggled to clearly stamp its mark on the payments industry – is a bold one. While Apple’s implementation will undoubtedly help NFC recapture interest, the industry needs to keep working towards the adoption of more advanced payment technologies – such as biometrics – which will enable retailers and payment companies to provide a more secure service for their customers.

Mark Bower VP Product Management, Voltage Security

With this announcement, Apple validates the data-centric security model and shines a spotlight on the need for the payment world to move on from vulnerable static credit card numbers and magnetic stripes to protected versions of data – tokenized payments.

Through the use of this data-centric security strategy, Apple Pay reduces risk of data breaches and credit card theft where it is supported. However, the world today is still in an early adoption phase with regard to new payment methods and mobile wallets, and retailers still have to contend with EMV and mag-stripe data and advanced threats.

The good news is that even with innovation like Apple Pay, mixed payment environments can be secured end-to-end from the point of card read to the secure payment host, enabling merchants to accept new and old payments protected under a powerful unified data protection framework to thwart advanced threats, all the while ensuring a seamless customer experience.