Apple on Monday lauched its Apple Pay mobile payment system in the United States, for use with Apple’s latest iPhones and to a limited extent its new iPads, as well. Apple Pay allows purchasing transactions to be performed with a phone swipe — as long as a retailer has the right hardware.
Purchases within apps can be completed using only the Touch ID fingerprint reader on an iPhone 6, 6 Plus, iPad Air 2 and iPad mini 3.
“Apple Pay will be a phenomenal success,” said Trip Chowdhry, managing director for equity research at Global Equities Research.
“Not only are the credit card issuers, merchants and credit card companies behind Apple Pay, but it is the most sensible solution we’ve seen so far,” he told the E-Commerce Times. “It puts the secure element for the transaction on a chip in the device, not in the cloud, which is a fundamental problem that Google wallet has.”
That chip, also known as the “secure element,” is the reason Apple Pay works only on the latest iPhone and iPad models. They’re the only ones that contain the chip.
The secure element is where credit card information is scrambled and stored. It also produces a token for every transaction performed with the card. The token is encrypted — so if it’s intercepted by an attacker, it would be very difficult to crack — and even if it were cracked, its contents could be used only for a single purchase.
In the case of a swipe transaction with a credit card, an account number is sent in readable text to a terminal where, if the number is scraped by an attacker, it can be used countless times before it’s suspended.
Apple Pay also uses industry standard NFC — near-field communication — technology so transactions can be performed by tapping a point-of-sale terminal that supports the wireless tech.
“Apple Pay is real secure,” Revel Systems CTO Chris Ciabarra told the E-Commerce Times. “No longer can the retailer be blamed in a credit card attack, because the retailer no longer has the credit card information.
No Silver Bullet
Apple Pay addresses another possible attack vector by combining Touch ID with NFC.
“Since NFC can be activated with a tap, if someone taps your pocket with a reader, they can steal your credit card information,” Ciabarra explained. “With Apple Pay, if someone touches your pocket, nothing happens unless your finger is on Touch ID.”
As careful as Apple has been in creating a secure payment system, it remains to be seen if it can maintain that security as usage proliferates.
“It’s not a silver bullet,” said Dodi Glenn, senior director of security intelligence and research labs at ThreatTrack Security.
“My concern is that when the system is opened up to developers and companies performing other transactions — essentially allowing the use of third-party tools — then, if not done right, they run the risk of a security hole being created,” he told the E-Commerce Times.
Initially, Touch ID was just an alternative to using a passcode to unlock an iOS device, but Apple steadily has expanded the technology’s functionality.
“Apple is popularizing and making consumers more familiar with biometrics,” Nok Nok Labs CEO Phil Dunkelberger told the E-Commerce Times.
“It’s popularizing something that, before Apple put it on its devices, had really been nascent from a use standpoint,” he added.
Pieces in Place
Apple could be poised to energize the mobile payment market.
“If you look at mobile payments in the U.S. and a lot of other countries, it has never taken off and reached a mainstream audience,” said Jack Kent, senior analyst for mobile media at IHS.
Apple Pay has an advantage over previous mobile payment schemes because Apple had important pieces in place — Passbook, Touch ID and its online stores — before launch of the payment system.
“When it introduced Apple Pay, it could tie users into things they already have, so it makes it a much easier implementation process and much easier to get users signed up,” Kent told the E-Commerce Times.
Another advantage Apple has over other mobile payment providers is that it doesn’t have to depend on mobile payments for survival.
“As long as Apple continues to sell lots of iPhones, people don’t have to use Apple Pay for it to be a successful strategy,” Kent said.
“Other players in the mobile payment business have needed to make money from the business to survive,” he explained. “For Apple, it’s all part of its overall hardware strategy. It doesn’t have to rely on making direct revenues from it.”
Apple’s FoundationDB open sources the database layer behind CloudKitJanuary 25, 2019