Apple Pay security: We find out if there are any risks using Apple Pay
- 26 June, 2015 02:24
Apple Pay arrives in the UK in July. Once in place, it will let you buy a coffee at Costa, open the gates on the London Underground, or settle your bill for a cheeky Nando's with nothing more than a tap of your iPhone or Apple Watch on a regular contactless reader. You can also use it in apps - but not on websites - to pay for downloads, tickets, and physical products scheduled for delivery.
But is it Apple Pay safe?
The short answer is yes. Apple wants us to think of its payment gateway the same way we think about PayPal or Visa. After all, it's only through gaining our trust that it will win our custom, and without our custom it won't earn commission from retailers.
To that end, it's spent a lot of time and money on making things secure. It's edging us all towards using six digit passcodes rather than four, and the only iOS devices through which you can authorise a payment are those with NFC (Near Field Communication) and the device-unique Secure Element chip built in. So, if you don't have an iPhone 6, 6 Plus, iPad Air 2, iPad mini 3 or Apple Watch, you'll have to upgrade - or stick to alternative payment options.
Can anyone get your card details from Apple Pay?
The Apple Pay interface on your iPhone screen will be tailored to the outlet in which you're making your purchase.
If you already have a credit or debit card registered with your Apple ID, you can add it to Apple Pay directly, so you don't need to send it again over the air. If not, or you want to add a new card, Apple encrypts the whole process from end to end, wrapping up the card details in a unique identifier before handing it over to your card operator.
Assuming you're credit-worthy, the operator sends back an authorisation key that's stored in the Secure Element in the iOS device or Watch. Secure Element, is an industry standard chip, so you're not relying on just Apple to maintain the technology, and because each one is unique to the device in which it resides, it reliably ties your device to your account. That way, the card processor knows exactly whose account to debit without passing your details over the network again or handing them to the retailer itself.
Is using Apple Pay on the high street safe?
So, the transaction is secure in transit as it's effectively useless data, but that's only half of the equation. Apple has also come up with a way to keep the physical interaction between your device and the reader safe, too.
Using Apple Pay in a real-world setup requires you to hold your iPhone or Apple Watch against the shop's contactless card device (you can't use an iPad in store). If you're using the Watch, you then press the side button twice to authorise the transaction or, if you're using the iPhone, you enter your passcode or use Touch ID to scan your finger.
As passcodes can now comprise more than just four digits, they're more secure than using a regular PIN, which has only 10,000 possible combinations if you include 0000.
Fingerprints offer even more protection. The likelihood of finding two people with the same pattern of loops and whorls stands at around one in 64,000,000, which means you're about four times as likely to win the National Lottery as you are to have a fingerprint that matches anyone else - and the chance of ever meeting that person... Well, it's unlikely and it's even more unlikely that they will get hold of your iPhone.
Fingerprinting isn't a precise science, though. Speaking to the Daily Telegraph in 2014, Mike Silverman, who rolled out the Metropolitan Police's first automated fingerprint detection system, explained that the process of identifying a print is more complicated that we might imagine. "No two fingerprints are ever exactly alike in every detail, even two impressions recorded immediately after each other from the same finger," he said. "It requires an expert examiner to determine whether a print taken from crime scene and one taken from a subject are likely to have originated from the same finger."
This has led to some miscarriages of justice when experts have declared two different prints to match, so it's perhaps fortunate that the detection performed by your iOS device is entirely driven by algorithms and doesn't rely on the skill of a trained eye.
Hack protection for Apple Pay
Apple Pay can also be used to buy products and services inside an app, but not currently over the web.
The fact you need to authorise the transaction before it can complete - and that your card details are never involved in the process - protects you from drive-by NFC hacks.
The Near Field Communication system is designed to connect quickly and easily to nearby devices, such as contactless card readers, with which it can share data. This has led some to posit that it would be possible to wave a card reader against your pocket and process a transaction automatically. This is exactly how NFC-based transport tickets work, allowing you to open a platform gate by tapping your card on a reader without entering your PIN.
We can't vouch for the security of every NFC-enabled device, but the checks and controls built into Apple Pay make this kind of attack all but impossible, as you'd have to physically authorise the transaction, and therefore be aware of it taking place.
How is the Apple Pay transaction authorised?
Once your code or finger are recognised, Apple Pay sends your card provider the key from your Secure Element, plus the amount you're spending and the merchant identifier, which is a double check, unique to that outlet, that ensures only they can receive the payment.
The retailer doesn't need to see your card details, and neither Apple nor your bank gets to find out what you're buying, so either half of the transaction is kept secret from the party who has no need to know about it.
If I lose my Watch or iPhone can someone make purchases?
If you lose Watch or iOS device, putting it into Lost Mode through Find my iPhone suspends the key stored in your Secure Element so nobody can make purchases on your account.
And despite all this, if you still fall foul of a scam - which will almost certainly be a case of human error - the most you can lose in the early days is a paltry £20. That will rise to £30 in the autumn when contactless payment limits not just for Apple Pay, but for all cards, will be boosted by 50%.
To use Apple Pay you will need to set up Apple Pay using the new Wallet app. Here's how to use Apple Wallet app.