Hackers always enjoy a product launch, and for good reason. Come the public release of any new smartphone, app, or service, hackers are given a new challenge and toy to play with, and will race to be the first group or lone wolf to crack its defences.
Jailbreaking is a popular practice that lets hackers remove the controls Apple builds into its products to stop people taking certain actions — like downloading applications from third-party stores.
As a result, it’s no surprise in the run-up to the release of Apple Pay, a contactless payment service, everyone from the Hacker News to The Guardian warned hackers would find ways to exploit the service.
Yet, come the release of Apple Pay in the UK on July 14, the doomsaying didn’t ring true and we’re still yet to hear about a successful scam or proof of concept attack targeting the platform.
According to security firm FireEye’s CTO Grady Summers there are three key reasons for this.
- First, Apple Pay doesn’t store its user’s card information.
- Second it encrypts data being sent during transactions.
- Third, it lets users protect payments using their iPhone’s TouchID fingerprint scanner.
Summers told Business Insider the first two hurdles stop hackers recycling the old tricks they use to steal card payment deals at point of sale (PoS) terminals in stores.
“Apple Pay is unique in that the user’s credit card number itself is never transmitted in an Apple Pay transaction,” he explained.
“Rather than sending credit card information, a phone using Apple Pay will send a unique code for the device, along with an ID for the transaction itself. With no card data being stored, the techniques that attackers have traditionally used to steal credit cards from merchants will no longer be effective.”
Targeting PoS terminals is a common money-making tactic within the hacker community. PoS attacks have resulted in some of the worst data breaches in recent memory.
Summers said the TouchID scanner adds a further layer of complexity, making it so hackers can’t cheat Apple Pay’s defences, even if they have physical access to the victim’s iPhone.
“Apple’s use of fingerprint authentication adds another layer — a thief can’t use a stolen PIN with your card; they’d need to somehow steal your fingerprint, which is difficult to do though not impossible,” he said.
Touch ID is a feature originally debuted on the iPhone 5S. The feature lets users set their iPhone to unlock or approve certain actions, such as Apple Pay payments, only after the user has proved their identity with it.
Hackers need new tech to beat Apple Pay
Looking to the future, Summers said to beat Apple Pay’s security, hackers will have to create new attack technologies.
“Theoretically, an attacker could mount an antenna near the point-of-sale device at the merchant, and steal the data that is passed. There’s not a way to do this today, due to the encryption between the device and the terminal,” he told Business Insider.
“[On top of this] the unique codes that Apple Pay sends can only be used once — so even if an attacker were to steal it, they couldn’t do anything else with it. Think of it as providing a ticket for a movie or concert — when you hand your ticket to the usher it is usually ripped in half, making it a ‘one time ticket’ vs credit card numbers that can be reused again.”
The FireEye CTO added the difficulties mean it is unlikely hackers will bother targeting Apple Pay in the foreseeable future.
“The key question is whether attackers will bother. Our experience shows that attackers will take the path of least resistance. As long as there are merchants who still accept legacy payment methods, I’d expect the attacks to focus on these merchants,” he said.
Summers is far from alone in his belief it will be quite a while before hackers bother targeting Apple Pay. Blue Coat Systems director Robert Arandjelovic mirrored Summer’s sentiment, arguing the upfront cost required to target Apple Pay will put off most hacker groups.
“Return on Investment (RoI) is key to whether they [hackers] will carry out an attack on Apple Pay because there is no point in spending time trying to break the system or stealing credit card details if the effort is not covered by the pay-out,” he told Business Insider.