• United States



Executive Editor

Experts: Don’t use Apple Pay, CurrentC until crooks get a shot at them

Nov 06, 20144 mins
Mobile Security

Despite designers’ diligence, these payment systems haven’t been tested by real-world criminals

While major retailers hem and haw about whether to use Apple Pay vs CurrentC, security experts say those concerned about their safeguarding their credit data might be wise to hold off using either of the payment systems until they’ve really been vetted for vulnerabilities.

“The bottom line is they’re about as safe as your debit card is now,” says Jason Polancich, chief architect at SurfWatch Labs, about these near-field communications (NFC) systems that let smartphones authenticate users and act as credit cards.

+ Also on Network World: Apple Pay vs. CurrentC: Which will retailers choose?; CurrentC already hacked +

visa apple pay screenshot

Because some mobile payment systems like Apple Pay are brand new – CurrentC isn’t even generally deployed yet – their security hasn’t been tested much by the concerted efforts of attackers. “The criminals haven’t had the chance to catch up yet,” Polancich says.

But that will happen, says Marc Maiffret, CTO of BeyondTrust. “Surely Apple themselves have invested a lot of energy into securing Apple Pay, but as we have seen with previous technology releases, that does not mean they will have found everything.”

He points to an earlier example of Apple putting forth a new technology – fingerprint ID — only to have it cracked soon after. “Surely Apple put some effort into securing that, but it was the security community that within a few weeks/months came to show how secure it was or not,” he says.

In the case of CurrentC, attackers have already stolen email addresses of some participants in its trial program.

But, architecturally at least, Apple Pay and other mobile payment systems seem more secure than payment cards, says Ryan Olson, director of Unit 42, the Palo Alto Networks threat intelligence team. “The existing magnetic stripe system used for most in-store payments in the U.S. is much more vulnerable to theft and duplication than either Apple Pay or Google Wallet,” he says. “As both systems use one-time identifiers for each payment and encrypt NFC communications, it’s going to be much harder for an attacker to take advantage of these transactions.”

There are plenty of places attackers will probe for weaknesses to exploit, Olson says. For example, attackers could go after the point-of-sale systems stores use to accept mobile payments in addition to the phones themselves, he says. Backend systems could also be hacked, but none of it is easy. “All three of these are more challenging to crack than the current POS systems we’ve seen in the headlines in the last year,” he says.

Attackers could go after the fingerprint readers used for authentication on iPhones, says Tom Gorup, security operations center manager at Rook Security. So if a phone is stolen, an attacker could lift prints from it to defeat the print scanner, he says. “This attack can be completed simply with a laser printer, latex and some wood glue,” he says.

Criminals will of course try standard attacks — buffer overflow, man-in-the-middle, SQL injection – to see if they will work against some elements of the systems, Gorup says.

Attackers are essentially businesspeople and will focus their efforts based on potential returns, adds Olson. “Until NFC-based systems become responsible for a large proportion of in-store payments, criminals will likely take the path of least-resistance and focus on the old technology,” he says.

Meanwhile, Polancich says there are more effective, less technical means of keeping your credit purchasing safe rather than fretting over cards vs. mobile payments. These include diligent monitoring of accounts and credit status, updating passwords, using complex passwords and finding out how intermediaries store and purge your credit information. “It takes a lot of work,” he says, but, “being on the ball with that can save you years of misery” that can result from having your identity stolen.

Letting these technologies mature before using them may be the way to go from a security standpoint, Maiffret says. “Some of the best advice to give to consumers in this space is simply to wait a while until the technology has been more thoroughly put under the microscope by researchers,” he says.