iPhone Payment Security

Apple is including some sort of automatic credit card payment system with the iPhone 6. It's using some security feature of the phone and system to negotiate a cheaper transaction fee.

Basically, there are two kinds of credit card transactions: card-present, and card-not-present. The former is cheaper because there's less risk of fraud. The article says that Apple has negotiated the card-present rate for its iPhone payment system, even though the card is not present. Presumably, this is because of some other security features that reduce the risk of fraud.

Not a lot of detail here, but interesting nonetheless.

Posted on September 8, 2014 at 7:21 AM • 41 Comments

Comments

AshishSeptember 8, 2014 8:26 AM

It's likely gated by TouchID, their fingerprint reader. You can probably use NFC but have to authorize the transaction with a fingerprint scan that can already be done on your iPhone. This is more secure than any credit card, which is why they were probably able to get this low-risk rate.

SasparillaSeptember 8, 2014 8:58 AM

Supposedly the Apple solution involves one use token-ization of some sort to enhance security.

http://forums.macrumors.com/showthread.php?t=1772909

As the U.S. "in store" credit card market continues to melt down unabated in system compromised theft:

http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/

Just giving the potential customer the perceived feeling of "security" when the current U.S. "in store" credit card system obviously doesn't have it - may be worth quite alot in the market place.

paulSeptember 8, 2014 9:25 AM

It might be the added security, or it might be "We're going to get 50 million people to make multiple additional transactions every week. But you can't stick every merchant in your network for the price of a new terminal unless you give them some kind of a break on the transaction fee."

ChrisSeptember 8, 2014 9:26 AM

I think this is the key bit of the linked article, "Apple was apparently adamant about getting the card-present rates and told issuers that it would assume some of the fraud risk inherent in every transaction"

Apple is getting better rates because they are willing to assume some of the risk of the transaction. They are willing to do this because of the payment security tech in the iPhone, but I don't think it's the tech that's persuading the banks, it's the fact that Apple is willing to put it's money where it's mouth is.

Or to put it another way, Apple has a better understanding of the security risks of it's mobile payment system than the banks do, so they can gain a monetary advantage by offering to cover the risk of fraud in return for lower transaction rates.

OfficerXSeptember 8, 2014 9:38 AM

The author of the referenced article knows little about card payments. Visa, MC and AMEX are not "issuers". They aren't banks either - they are associations with banks as members who then issue cards and acquire transactions at merchants. Apple is not a bank either, so what they may have achieved with the card networks is to recognise to have "iPhone token" the equivalent as "card present" in the operational rules. This will allow the participating banks to 1) issue "virtual cards" to iPhone owners and 2) allow merchants to process iPhones like "card present" which means lower transaction fees = lower risk (but also lower income to acquirers, but that's due to lower risk).

I am not sure how Apple would make money in this though apart from making phones more attractive, but allowing a card issuer to issue a virtual credit card on iPhones surely will have its price.

All in all, if true quite a deal if they really did this. Add an online payment function to this and you have a potential game-changer in several ways.

Frank WilhoitSeptember 8, 2014 9:55 AM

It is none so complicated as all of this. Apple is seen as delivering the cream of the cream: a highly desirable and nearly-captive market segment. Anyone who uses Apple products obviously has **MUCH** more money than sense. Apple could probably have held out for half of the card-present rate if they really wanted to play hardball; and they need not offer to assume any risk or to refactor the existing risk-management responsibilities in any way.

Jesse ShapiroSeptember 8, 2014 10:05 AM

I think that Chris has the right of it- if Apple is getting the card-present rates, it's not because of the actual security of the system- it's because Apple is willing to assume the cost of fraud.

OliverSeptember 8, 2014 10:27 AM

Isn't this another of those "Security through Obscurity" examples?
We do all know how that turns out, every damn time :-(

MrCSeptember 8, 2014 10:50 AM

@ keiner:

iLaughed.

I'm fully expecting that Apple's payment system is going to turn out to be laughably insecure. (See also: iPhone 5 fingerprint reader successfully fooled on day of release; GOTO FAIL; the "fappening.") On the other hand, it's difficult to compare two laughably insecure systems. It may very well be that Apple's payment system will actually be more secure than in-store "card-present" transactions, because, as Target, Home Depot, PFChangs, etc. keep reminding us, that bar is pretty damn low.

David LeppikSeptember 8, 2014 11:36 AM

The iPhone 5S, with its fingerprint scanner, uses a secure enclave-- processor and flash memory-- to store fingerprint data. I'm wondering if that will be used in some interesting way. My guess is that whatever they announce, it will work for the existing iPhone 5S user base. So no new NFC hardware, just low-power Bluetooth.

Keep in mind that security is a trade-off with convenience. Ever since the beginning of online purchases, American credit cards have emphasized fraud detection rather than authentication. That is, they spend far more on predicting whether you would make that purchase than on whether it was you holding the card. It's taken for granted that there will be a certain fraction of false positives and negatives.

And this is as much about usability as security: Apple wants people to reach for their iPhones rather than their credit cards, so Apple can get a cut of the transactions. So it has to be more convenient than a credit card.

Which makes me think this isn't about point-of-sale terminals in physical stores. That may be part of it, but the low-hanging fruit is online purchases. Typing in your credit card number is a pain, and using a thumbprint would be much more convenient.

What's more, chip-and-pin isn't an option for online purchases anyway.

So it looks like Apple is using a hardware end-run around PayPal, where Apple gets a cut of online payments, but has lower costs than PayPal, since Apple gets the card-present rate.

David LeppikSeptember 8, 2014 11:59 AM

One other thing: the rumors have mentioned the use of GPS in fraud detection. The fact that the iPhone knows your physical location-- and can use its secure enclave to digitally sign the location-- provides much of the security of a point of sale terminal.

So here's what Apple can use, with the existing iPhone hardware:

  1. Your fingerprint

  2. Your location
  3. Your PIN (currently required on a regular basis, to make sure you don't forget it)
  4. Additional data, such as hashes and keys, which are only stored in the secure enclave on that one device.
  5. An Internet connection, to allow Apple's fraud detection servers to decide on a case-by-case basis whether to require a PIN.
  6. Additional metadata connected to your Apple account, such as your address, phone number, Apple Store purchase history, and even your photograph.

To use this, attackers would need at a minimum the iPhone and the fingerprints (probably already on the iPhone, but require some effort to preserve and extract.) But for out-of-the-ordinary purchases, they would need your PIN.


It doesn't sound like it would be hard at all to make this more secure than chip-and-pin, while being usable for online purchases.

AnuraSeptember 8, 2014 12:13 PM

My biggest concern is not the security of the payment system, it's the security of the phones themselves. However, the payment system is my second biggest concern.

Phones present a good oppurtunity for a secure payment system: You can create a cryptographic protocol that makes the system secure against attacks at the merchant end, however it transfers the risk to the phone end (which as a person who buys stuff, I would rather my phone be the risk than have to worry that any time I use my credit card there is a risk of theft). You can make phone payments secure by storing a secret key on a special smart card which should only be usable to encrypt/authenticate, not read/store (hardware-enforced). Then you can have a PIN pad which is isolated so no apps can read the pin. I have my doubts that apple is securing it beyond software isolation, which is exploitable. You can also design protocols that don't require secure random numbers, which would be ideal for a phone.

AnoniSeptember 8, 2014 12:48 PM

you can have a PIN pad which is isolated so no apps can read the pin

Didn't some folks recently use the motion-detecting optical gyros in a phone to deduce the password?

AnuraSeptember 8, 2014 1:04 PM

@Anoni

Yeah, I figure there will always be some way if you are relying on software, but you do what you can to make it more difficult. The most important part is making sure that the PIN is useless without the smart card, and making sure that even the OS doesn't have access to do anything other than sending a request to encrypt data using the key stored on the card. On top of that (software isolation again), only the authorized payment app should have access to request data is encrypted so a malicious app can't just charge to your account without exploiting a vulnerability.

If your phone is stolen, of course, you should still consider the account compromised.

DanielSeptember 8, 2014 2:04 PM

I'd like to point out that Apple willingness to assume the risk of fraud is based upon the fact that Apple /can/ assume that risk because of the overall size and health of the company. It's a type of "self-insurance" that not many companies can afford to do. So in essence Apple is using its technical expertise to create economies of scale and so erect barriers to entry into the phone business.

G. BaileySeptember 8, 2014 3:18 PM

Sadly, despite both Apple and Microsoft having the capability, nobody has found a way to get rid of the 3% credit card transaction fees weighing on the consumer economy in the U.S. (at least by creating a new, competing network).

If it's government's job to provide currency, why is it not its job to provide e-currency?

Craig HughesSeptember 8, 2014 3:28 PM

They don't need to reduce the risk of fraud. They just need to be willing to undercut the margin that the banks are currently charging, which is extortionate. The currently semi-monopoly from having only 2 major credit card systems means that this is an industry that is ripe to have its margins attacked, if someone could just get a foothold, which with something like this, worldwide, Apple might actually be able to do.

AnuraSeptember 8, 2014 3:47 PM

@G. Bailey

Both the banks and the network make money off of the transaction fees, and there is little incentive to reduce them. Since there needs to be someone to verify that the bank is good for the money, unless you are piggybacking on an existing system then you are unlikely to get widespread support without a major backer. Apple and Microsoft only care about marketability, and a brand new system that requires banks to adopt it (as opposed to merchants, which are much more open to new things) is not very marketable. Really, it's just the barrier to entry and the lack of incentive.

As for government, politicians don't like to do things if it could be controversial among their corporate backers.

G. BaileySeptember 8, 2014 3:54 PM

@Anura

Yeah, this is basically the textbook definition of "rent-seeking behavior" and "regulatory capture".

Frank WilhoitSeptember 8, 2014 4:50 PM

@Citizen DO:

Being a "prosumer" of electricity is not a trivial technical challenge, at least not on an alternating-current distribution system that needs to be kept synchronized to within a millisecond or two and also balanced with respect to things like reactive power. Utilities have barely begun to think these things through, even though their future role will be to ensure continuity and quality of service, not (as hitherto) to inject power into a monolithic grid over which they have full control. There will still need to be a "utility" in this space, as ubiquitous reverse metering will require a technology deployment, and therefore an investment stream, that no other ownership model could address. Have you priced a utility-grade inverter -- from a reliable source?

You will know if it is done wrong: at best, the lights will go out. At worst, voltage surges will cause enormous damage. And how will your local volunteer fire department respond when their night-shift euchre game is interrupted by fifty simultaneous house fires in the same neighborhood?

LisaSeptember 8, 2014 6:46 PM

Currently EMVCO requires Common Criteria EAL5+ certification level for chip based credit/debit cards.

Rather that attempt to raise the security of the new iPhone6 platform and get it certified to this CC EAL5+ level, instead Apple has strong-armed financial entities and networks into accepting a lower security grade.

In light of all of the increasing damaging security breaches related to payment, it is nice to know that industry is willing to lower security standards.

I can't wait until iOS malware is discovered which steals from iPhone6 users. Maybe then, it will educate the-powers-that-be that it is not a good idea to weaken security.

Unfortunately, this might take a awhile, since there is a strong incentive for malware authors not to have their work discovered, since it increases the time available to steal from victims.

Chris AbbottSeptember 8, 2014 7:48 PM

$Anura

I agree about the phone security.

This isn't new. I've been using Square for cards for a long time, and it makes you have GPS on and charges much higher rates for 'Card not Present' transactions. It makes sense.

ThothSeptember 8, 2014 9:04 PM

Yet another way to break electronic payments and propagate fraud and insecurity thanks to Apple who managed to scam the ignorant and greedy. I remember finger print is toast as a security model since you can forge one quite easily and for geo-location, just load a malware that will always send out false locations. Any other PIN harvesting, metadata harvesting and so on have been defeated in the past and should be considered already broken.

Chris AbbottSeptember 8, 2014 10:00 PM

The problem is, if an attacker gains any kind of access to a device, whether it be installed remotely via exploit or installed directly, all of your security measures become utterly worthless. This is the ultimate side channel attack that nobody has a foolproof fix for: an attacker gaining access to the device in someway. The biggest challenge we face is finding a way to ultimately keep these guys out, whether they're TLAs or regular cybercriminals. That appears to be a pretty difficult and daunting task. It's a cat and mouse game...

OfficerXSeptember 9, 2014 1:30 AM

On the topic of risk of fraud - if the payment is made through the iTunes account, which is already verified and also "card not present" (although this may change), then the risk is fairly small.

Should be interesting for sure, especially since Google and FB will probably want to do something similar. Plus of course Paypal...

mutley dastardlySeptember 9, 2014 4:46 AM

I won't buy an iphone - it's as simple as that. Nothing is allowed to be coupled in any direct way to my bank-data, and my health files!
It's simple no company is allowed to access my banking accounts in any way possible. My credit-card is prepaid, my phones are prepaid, my 4G is prepaid - no automatic payments (due to a stupid eu-change the bank isn't in charge of payments but the billing-instance - and i'm not writing any blanco cheques - forget it)... [i know, i'd be in trouble in the US - because if you have no debt history you're non-existent - i do live in Europe - we don't have such a banking-debt-driven-system yet. Some 'd like to evolve to that road - i'm against it, it's more crisis-prone and drives people into some kind of slavery - but that's another discussion...]
The laws in general should oblige anyone involved in any way of money payments to forfill all the stringent requirements banks have to follow - the heaviest danger is a society in debt - the major cause of bank-crashes. Have a look at what happened in 2008 - have a look at 193x ...
The same goes for your phone bill - you can pay parking tickets - and you get billed for it - when your phone gets stolen - there's no real limit on that bill. With prepaid - when it's over - it's over (haha).
There are plans that you can pay contactless for small amounts - well i'm a robber - and just by sitting in a busy place, i can get rich? Can you image how nice the future is for the ones that know how to build electronics themselves? Don't think it'll be all safe - it won't be safe forever - computing power is getting cheap and abundant.
What you decide is your business - i'm going for stringent restricted access to my banking accounts - this means - no use of smartphones, no apps, no tablet use - i'm using the e-banking due to the fact my cardreader is not connected to my computer system. I have to type in the numbers - that's extra security. Never - never - never - couple the usb reader to the computer - don't be lazy - type in those numbers yourself. It's a little more secure and doesn't cost you a penny more.
Tell the person who's your personal contact to the bank about the way you use your accounts - if something is fishy, they may be able to prevent worse.
When you buy an iphone6 - you should consider buying a pacsafe bag (or something that works as a cage of Faraday) - to pack it in - just to prevent theft by approximity (NFC) - one never knows... Your phone won't work anymore - but your money 'll be safer. The choise is yours ;-)
When we read about banks implementing physical security like vein recognition and fingerprinting i always point to the CCC Schauble-story - it was cracked then by easy means it'll be cracked again. If your bank only provides security by biometrics - kick 'm out (you're risking to loose your fingers to the mob) - if they add biometrics as an extra barrier/option in combination with the good old cypherbox+chip on the bankcard - be happy, that's fine, and a lot more secure (until they chop your finger up, to find out it's not enough). Have a look at the RFID-system that is used in the netherlands for public transportation - it was thought to be secure until... hackers found out only a few bits where random - haha (NXP - the one who's making also NFC-stuff).
Everyone needs to take care of himself - my banking-account-manager always enjoys my visits - you should 've seen his face when he showed me the nice banking app - and when i told him it allowed me to "steal some of his money" - because the pasword appeared one char by one - you just had to film it... 's well.
Just be careful - if something goes wrong it won't be enough to call cardstop - you'll also have to remove the smartphone/tablet from the banking app on-line (do you have your bankcard - oh gweat that's stolen too???)
Even if there's no other option available i'd rather drop dead than to buy an iphone/smartphone/tablet to buy food. Hell no. (i'm paying with cash to buy groceries - and i always forget loyalty cards - i won't be traced. They should offer me a lot more than 0.5% rebate).

SasparillaSeptember 9, 2014 10:55 AM

mutley dastardly "Hell no. (i'm paying with cash to buy groceries - and i always forget loyalty cards - i won't be traced."

I'm with you mutley, however the Feds have encouraged - payed for training U.S. state/local police to incentive-ize you not to carry cash (that non track-able form of payment) - as the police (in the U.S.) can just take it (astounding series of articles) without charges, get 50% of the hall and no bottom limit for the amount:

http://www.washingtonpost.com/sf/investigative/2014/09/06/stop-and-seize/

Back to the topic at hand, it should be very interesting all the details on the iThing payment system...Apple doesn't come from a strong security background, so I sure hope, for everyone's sake, they hired the right people and did their homework - cause the bad guys will be coming.

JaimeSeptember 9, 2014 5:31 PM

Last time I wrote software that sent transactions to a credit card processor, "Card Present" was a field that my software filled in. I don't believe very much value was put on the field if it is so easy to get wrong.

John FSeptember 9, 2014 5:37 PM

@OfficerX

Should be interesting for sure, especially since Google and FB will probably want to do something similar. Plus of course Paypal...

Google has been offering this since at least 2013. Google Play Store users have had the ability to use NFC-based tap-to-pay linked against any card tied to a Google wallet account since roughly 9/2013, as long as their handset supported NFC.

I believe NFC was first (quietly) introduced to the Samsung Galaxy product line about the S3 timeframe. Then, about a year, year and a half ago, ISIS Mobile Wallet popped up with similar, but greatly limited functionality. ISIS required a new SIM with a "Secure Element" before you could use it, but that was second generation technology at that point.

Additionally, Google will, should you so choose, issue you a physical "Wallet Card", which is a Google branded master card that you can tie to any payment source valid in the Google Play Store.

Technically speaking, For a long time, the hardest part about using Tap to pay with a Samsung phone was finding NFC enabled payment terminals. Then the folks running vending machines realized that they could add a bit of hardware and it suddenly became much easier to buy things from a vending machine. Now, NFC capable card readers are popping up all over, but generally in smaller stores - gas stations, etc.

Frankly, Apple hasn't done anything novel here in terms of handset based payments except - perhaps - to increase user awareness of tap-to-pay as a payment option. If anything they were late to the game.

(By the way, ISIS has/had some interesting ways to game it. In order to drive adoption, they initially paired up with Amex to offer a $40 credit to anyone who used ISIS to open a prepaid Amex Serve Account (with no backing funding source). Couple that with another incentive from Verizon that resulted in a $1.00 credit for any purchase over $1.20, and I don't think I've paid out of pocket for a soda or snack out of a vending machine in over a year.)

riu3hiurhir3uhSeptember 9, 2014 10:00 PM

It likely uses a back-end service provider over TCP/IP over baseband PHY. Too expensive for attackers unless you jailbreak..

The audio-port card readers have been out years and have easy protocols and are on weak policy stuff like android, no attacks to date.

anonSeptember 11, 2014 2:44 AM

What does this credit card payment feature mean in context of various PCI standards? (I don't own an iPhone and don't care personally.)

Is the iPhone a payment terminal / PTS device or the like?
Is Apple with his platform a payment service provider or what?
Or is Apple just reducing my effort of typing in the cc number by hand?

Can someone please explain what role Apple has in this?

Thomas_HSeptember 11, 2014 4:31 AM

@ David Leppik:

So...Apple would not only be able to build a clear profile of your purchase habits, but by using the biometric data you provide (fingerprints, face) and precise location data (GPS) could track you anywhere while correlating interests (purchase habits) and what you look like with the remaining data and probably draw interesting demographic conclusions by comparing those correlations with those of other people...

Oh, the uses...

Need some juicy stuff on a person, e.g. do they have a mistress or secret lover that they meet in certain locations and buy certain stuff for?

Want to know whether people belonging to 'ethnic group of people of choice' buy more items that can be used for crimes than others?

Want to know whether radical right/left-wing people can be recognized by their purchases and biometric features?

Want to discover whether (thought-)crime can be predicted by comparing criminal databases to Apple user purchase habits and biometrical data?

Want to design a program that automatically dispatches a drone to any person matching a profile that some iDiot designed as '99.9999% chance of being a terrorist'?

Are we sure the "A" in "NSA" doesn't stand for "Apple"?

Terry ClothSeptember 12, 2014 5:06 PM

@mutley dastardly: [F]orget loyalty cards - i won't be traced. They should offer me a lot more than 0.5% rebate.

It depends on just how careful you want to be. I won't have a loyalty
card that they have to mail to me, but fewer and fewer do, anymore.
Fill out a form with your latest random data, they hand you a card,
and you get money off. I don't care that they know someone who
buys cookies often also buys milk; just so long as they don't know I'm
that person.

Jeff ChaucerSeptember 12, 2014 5:31 PM

According to law professor Adam Levitin's blog, as a result of Apple Pay, Apple may now be a regulated financial institution. (Market Watch has an easier-to-digest report on Levitin's story.)


In short, offering a financial service (e.g., Apple Pay) puts you in the crosshairs of the Consumer Financial Protection Bureau, which is tasked with preventing "unfair, abusive, and deceptive practices.". The law creating the CFPB puts no limits on which of your activities they cover. So, now, everything Apple does must be fair, reasonable, and straightforward. Don't we wish.

@John F: Google has been offering this since at least 2013.
So if Dr. Levitin's analysis applies, should the CFPB be looking into Google’s UDAP? How about every other tap-to-pay purveyor?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.