Tag Archives: Apple security

Apple Pay Security—a Token or for Real?

As usual Apple created a good deal of hype around its new product rollout, this time with the iPhone 6, with its proposed Apple Pay system drawing the most attention. Apple Pay offers much improved convenience at the checkout counter, though its claimed applicability to phone call orders and interoperability with other methods of payment have not yet been publicly explained. Those issues notwithstanding, Apple Pay could be a major step forward in the technology of retail banking transactions.

The main claim and the main attraction of the Apple Pay system is its security. Characteristically and perfectly understandably Apple was a little short on describing the security functionality. The particulars of these security arrangements are probably the most important aspect of the whole iPhone 6 exercise, and a lot of cybersecurity experts are waiting for the details to render a real judgment on the system.

Given its historical record Apple is unlikely to disclose the Apple Pay algorithm, though that’s not really justified by any security consideration. Only the implementational details of cybersecurity systems should be secret, for both security and competitive proprietary reasons. But the underlying algorithm should be published and analyzed, as is usually done for most crypto systems. In the evaluation of cybersecurity systems it’s always assumed that the algorithm is known to the attackers.

But we’ll know the Apple Pay algorithm anyway as soon as the system is available in the real world. The algorithm can be determined with a couple of simple experiments at the point of sale (POS). If the algorithm provides for a full change of cyber identity for the buyer and the purchase card with every transaction, it would be extremely difficult, if not practically impossible, to defeat. If, however, Apple Pay turns out to be just another run-of-the-mill token system, it would only be a marginal improvement over existing systems, only protecting the point of sale. Such a system  can be hacked in several different ways, perhaps by hacking it through Apple servers, which has proven to be a task of only moderate difficulty for a competent hacker.

So, we need to wait and see what system Apple came up with – the major breakthrough they claim, or just a marginal step forward.