Apple Pay Could Fuel iPhone Attacks, Say Experts
Apple Pay, the new contactless payment system that relies on the company's iPhone and the device owner's fingerprint, could spark a wave of attacks against Apple users who, up until now, have been relatively immune to mobile threats.
Apple Pay could take pressure off of retailers and shift it to Apple iPhone users who will be using their devices as a wallet, said Aaron Cherrington, a senior cyberthreat intelligence analyst at FireEye. Merchants that use NFC payments will only have a transaction number and token, rather than the valuable credit card number that thieves covet, said Cherrington in his analysis of Apple's payment system.
Thieves will need to find new ways to get at the sensitive data needed to create fraudulent credit cards once the new payment terminals are rolled out and become increasingly used, Cherrington said. Attackers could target vulnerabilities in third-party apps or create malware to record keystrokes and other data input into the iPhone, he said.
[Related: Apple Bets Security Will Drive Mobile Payments Adoption]
"As mobile payments continue to provide convenience and speed, the credit card as we know it will most likely evolve while we as consumers will increasingly rely on virtual wallets, payments and accounts," Cherrington said "As this shift in behavior occurs, we expect criminals to move with the trends and to continue to innovate or be shut out of the market."
Security researchers monitoring the threat landscape have documented a significant rise in mobile attacks over the past several years, but more than 95 percent of the activity is targeted at Android devices. Much of the activity has been in Asia, Eastern Europe and Russia where users increase their risk of an infection when they turn to third-party application repositories or download customized Android applications.
Attackers have penetrated Apple's official App Store in the past, say security experts. Fire Eye, Kaspersky Lab and other security firms have identified custom malware designed to support cyberespionage attacks that target users of Apple devices.
Apple unveiled Apple Pay Sept. 9 for its iPhone 6 and iPhone 6 Plus. When the company turns on the payment system in October, some 220,000 merchants will be equipped to accept NFC payments, including McDonald's, Walgreens and Target. The company also has American Express, Visa and Master Card backing its payment service and several major card issuing banks, including Bank of America, Wells Fargo, Chase and Capital One. Apple struck deals while the payment industry is eagerly looking for new ways to reduce fraud following a string of high-profile breaches, including a massive security lapse of approximately 56 million credit and debit cards at Home Depot.
The latest payment schemes may require technology and architecture changes, solution providers tell CRN. The problem for retailers and other merchants is that spending for security typically only follows a serious security incident, said Paul Deur, a principal at New York-based managed services and security consultancy Eden Technologies. Deur said the pressure to add security technology following a data breach results in knee-jerk spending rather than careful risk analysis.
"If you are only responding you are constantly in a firefighting mode, and trying to plug holes in a leaky dam is no way to keep data secure," Deur said. "That strategy will eventually overwhelm you."
NEXT: Despite New Risks, Apple Pay Security Is Tight, Say Security Experts
Apple is replacing the 16-digit credit card number and other data associated with the magnetic stripe on standard credit cards with a one-time use token for every transaction. In addition iPhones will be assigned a unique Device Account Number linking each credit card that users add to the Passbook application. Unlike Google Wallet, which stores credit card data in Google's servers and monitors purchases, Apple said it will never store user credit card information and said it would not view transactions.
Ripping out and replacing equipment may be costly, but Apple appears to have addressed that issue with participating retailers, said Bob Doyle, a security consultant at Cambridge, Mass.-based security consultancy and solution provider Neohapsis. The cost of ripping out payment hardware has always been a major deterrent, Doyle said. Terminals at major retailers may already support mobile payments or they can be retrofitted to accept mobile payments, but the point-of-sale system software would have to be modified to accept Apple's payment method, Doyle said.
Apple Pay will bolster security by adding user authentication to validate a transaction, software certificates to verify the validity of mobile applications, and tokenization to prevent cracking, said FireEye's Cherrington. It also will eliminate the threat posed by skimming, which relies on a user swiping his or her credit card, he said. Memory-scraping malware, which was at the core of many breaches, won't be able to retrieve credit card numbers, as they will not be transmitted during an Apple Pay transaction. And, finally, eavesdropping on NFC payments would also not likely pose a practical option since the traffic will consist of a token and transaction number.
Instead, attackers could look at the device itself, Cherrington said. Credit card data under Apple's new Apple Pay system is most vulnerable when users enter data into their mobile device and may be a new target for financially motivated cybercriminals, despite Apple's closed ecosystem. Malware may attempt to capture the image used or credit card information when it is manually entered into the iPhone.
"It is likely that hackers will not give up their craft, but rather redirect their efforts toward the next weakest link in the chain," Cherrington said.
PUBLISHED SEPT. 22, 2014