10 Reasons Why Apple Pay Beats Google Wallet On Security
Apple Pay Pushes Payment Security Forward If Adopted, Trusted
Apple Pay, the new payment service Apple recently unveiled, is being heralded by some security experts as a positive step forward in eliminating plastic and reducing fraud. While it is no silver bullet it can make mobile payments more secure for users of iPhone 6 and iPhone 6 Plus if it is widely adopted, said Kevin Grieve, a payment industry veteran and partner at consulting firm Strategy&. He leads the firm’s payments business.
Apple's mobile payment implementation eliminates the credit card number altogether and instead assigns a unique number to the device enabling payment to take place using a method associated with the user's account. Google Wallet, by contrast, stores the user data on the mobile device and transmits the cardholder data via near field communications to the merchant, a security risk, say experts. Here are 10 reasons why it pushes the envelope.
1. Tokenization
Apple replaces the16-digit credit card number and other data associated with the magnetic stripe on standard credit cards by using tokenization. Apple generates a one-time-use token with every transaction. The token is created in a way that makes it impossible for an attacker to reverse. However it isn't foolproof, security experts say. An attacker could theoretically gain access to a token system that processes the transactions to glean some information. Still, tokenization removes the point-of-sale system fraud (think Target and Home Depot breaches), by eliminating the credit card from the merchant's systems altogether.
2. Secure Element
Apple is using a process that assigns a unique Device Account Number for each credit card that is added using its Passbook application. The unique number is encrypted and stored on a dedicated chip in the iPhone 6, iPhone 6 Plus and Apple Watch called Secure Element. Apple pledges that card numbers will never be stored on Apple servers and, as an extra privacy measure, individual transactions will also not be viewed or logged by Apple. The credit card numbers never reach merchant systems either, Apple said. The unique device token is coupled with a dynamic security code to process the transaction properly. The randomly generated number would be useless to credit card thieves without a variety of other information about the user, according to Apple. Security experts say this could increase the risk of Apple device theft. Other mobile security experts tell CRN the new payment method may fuel account hijacking attempts against Apple cloud services.
3. EMV
Apple is using a communication protocol that is supported in widely deployed payment terminals in Europe and Canada called EMV, which stands for Europay, MasterCard, and Visa. The terminals support chip-and-PIN technology to cut down on card fraud. Target and Home Depot, two large retailers in the U.S. that are reeling from massive data breaches indicated they will have terminals in place supporting EMV. Other large retailers are expected to replace outdated terminals with new EMV-enabled equipment by October 2015. The latest EMV terminals are encrypted and support NFC, contactless payments, said Ruston Miles, a PCI compliance expert and chief innovation officer at Atlanta, Ga.-based payment systems provider Bluefin Payment Systems.
4. NFC Implementation
Near field communications has been in Android since 2010 when Samsung introduced the Nexus S. Security researchers have uncovered some security weaknesses in the technology since then. The biggest hole, researchers say, is the ability to create a malicious application that can use the NFC protocol. Unlike Google, which provides access to NFC to any app maker, Apple will control its NFC-enabled chip in the iPhone 6 and iPhone 6 Plus. It's a security measure that has ruffled the feathers of other payment services, such as Paypal. Mobile experts predict that third-party developers, including other payment services will eventually gain limited access to the NFC implementation by 2015.
5. Find My iPhone
If a device is lost or stolen, Apple has updated its Find My iPhone feature to place devices in lost mode so access to the device data is disabled. Users will also have the option to wipe their iPhone. Google also has this feature for Android devices, but security experts point out that Apple's implementation is more tightly restricted.
6. Biometric Validation
Apple Pay uses the iPhone's Touch ID fingerprint reader as a secondary validation that an authorized user is making a purchase. Touch ID uses a capacitive touch sensor and directs an image of the user's finger to a sensor which reads the outer layers of the skin to get a detailed fingerprint and verify the authenticity of the user. A transaction can also be made through a secure PIN code, according to Apple. Fingerprint data is stored deep in Apple's processor in an encrypted area Apple calls Secure Enclave, making it difficult for a hacker to crack.
7. The Walled Garden
Apple Pay is within Apple's walled garden, a closed ecosystem that has kept iOS devices relatively immune from dangerous malware and other threats. Google Android devices run in a pseudo open ecosystem, giving carriers and device makers the ability to control custom versions of the firmware and device owners access to third-party application markets. Put simply, Google doesn't have tight controls over what can run on a device.
8. Google Wallet Flaws
A security researcher uncovered a serious flaw in Google Wallet in 2012 that could enable an attacker to view all the data contained in the owner's digital wallet on the device, including credit card numbers. The attack required a rooted phone and relied on a brute force attack to get the PIN code associated with the user's Google Wallet account. Security experts say researchers will be analyzing Apple's implementation for similar weaknesses. The attack was demonstrated with a malicious application that retrieved the Google Wallet PIN in seconds.
9. Google Stores Card Data
Google stores credit card numbers in its servers, according to its documentation. All of the financial data is encrypted, according to Google. An attacker that gains access to an individual's Wallet ID could view the card data and any transactions the user made. Google says full credit and debit card information is never shown in the app. Rather than assigning a token during a payment transaction, Google uses host card emulation to open up a secure connection to the payment terminal using the device's NFC chip.
10. Google Monitors Transactions
Google monitors transactions made with Google Wallet and indicates the measure is taken as part of its 24/7 fraud protection service in the U.S. "Your Wallet's information is safely stored on secure servers in a secure location. All transactions are also monitored 24/7 for fraudulent or unauthorized activity by our security team, and our support team is available to help you with any questions about Google Wallet," the company said in its support documentation.