There’s little debate that Apple Pay is going to sharply boost mobile payment security. After all, replacing signature or a 4-digit shoulder-surfing-vulnerable PIN with a biometric authentication is a big step in the right direction. No authentication system is perfect, but being more secure than signature isn’t difficult. But how much more secure is Apple Pay really?
What Apple has done has made retailers far more secure, in that they will never be storing payment card data—at least not from Apple Pay shoppers.
“That’s where the wallet opens — on the device,” says Lev Lesokhin, executive vice president of CAST Software. “That makes the authentication an Apple problem, not a [retail store] problem… If [credit card numbers are] what [attackers] want, they’re going to have to go after Apple.”
Dark Reading points out that the phone is getting close to the security trifecta of something you know (the passcode), something you have (the device), and something you are (the fingerprint).
But the story asks whether cyberthieves will spoof the Apple tokens, given that only tokens will be needed to complete a transaction.
“instead of using malware that compromises point-of-sale systems, attackers may instead create software that can spoof a user’s whole iPhone — fingerprint included. After all, biometric scanners turn your body into a data file. An attacker doesn’t necessarily need your finger; he just needs a way to steal, then input that data,” said the Dark Reading report. “There are also questions about what happens outside the interaction between the Apple device and the PoS terminal — and the answers may vary from merchant to merchant.”