Laura Banks
1
All posts from Laura Banks
Laura Banks in Markets and everything in & between!,

Will Apple Pay keep you safer from fraud?

Apple wants its new tap-to-pay mobile wallet to replace the credit card swipe. As merchants face an epidemic of data breaches, consumers are left wondering: Will Apple Pay be any safer?

The answer: Maybe. Apple Pay launches in October and is set to work in 220,000 store locations, and the Cupertino, Calif.-based company has partnered with the top bank issuers that represent 83% of U.S. payments. It removes many of the risks associated with traditional payment systems, but could open up smartphone users to new threats.

To make payments with an iPhone 6, users will have to go through fingerprint verification to gain access. Apple AAPL, +2.14% says it will not store credit and debit card information on its servers. Each device will be assigned its own code, and when people want to buy things, they will also use a one-time security code.

The immediate benefit to Apple Pay is that it eliminates the issue of easily counterfeited magnetic stripe credit cards, which were already on their way out. Merchants won’t see card numbers either, and the fingerprint requirement means a crook can’t go on a shopping spree with a stolen iPhone, and lost devices can be reported as such. (It is unclear how people will prove their identities while making purchases using iWatches, though the wristbands will also have biometric capabilities.)

Those precautions are key to Apple’s pitch to build confidence in Apple Pay, particularly after celebrities’ nude photos were hacked from iCloud just days before the product launch. But there are still security questions that have yet to be answered.

Apple says users will add credit cards to their iPhones by taking pictures of them. How the company will securely store and transmit those photos remains to be seen, as well as whether they will be backed up to iCloud, which just made headlines for the celebrity nudes leak.

“Can we break into how they’re being stored? Is the transmission secure?” says Chris Carlis, security consultant at the Chicago-based firm Trustwave. “Malware of the future, that’s going to be looking for these images either being stored or created.”

“How do we know it’s being deleted? That’s not an Apple thing. That’s anyone,” says David Schwartzberg, a senior security engineer at Mobileiron, a Mountainview, Calif.-based mobile security platform.

Because iPhones won’t store card data and will instead provide transaction-specific security codes, the issue of malware on a merchant’s point-of-sale system becomes moot. Point-of-sale malware is a typical culprit behind data breaches, like those at Target TGT, +2.07% (which is among the Apple Pay partners) and Home Depot HD, +1.78% .

And a breach could still happen elsewhere in the payments chain. In 2008, Heartland Payment Systems suffered a breach exposing a reported 130 million U.S. debit and credit cards.

The mobile payment system will also use near-field communication, or short-range radio waves that allow devices to communicate wirelessly. It’s a rapidly growing technology — shipments of NFC-enabled phones will rise fourfold from 2013 to 1.2 billion devices worldwide in 2018, according to the research firm IHS — but also one that security researchers have found to have holes that criminals can use to infect and take control of smartphones. 

“This is a really good step forward but we still need to be cautious because of what we know of the risks behind mobile devices,” Schwartzberg says. “When you start to put money into the phone, you need to treat it like a real wallet. Any type of payment processing system has got to be treated like it’s gold.”

By

PRIYA ANAND

CONSUMER FRAUD REPORTER