How Hackers Could Get Around Apple Pay Security
When CEO Tim Cook touted Apple's new mobile payments service as "easy, secure and private," he was at least partially addressing public concerns over the company's security infrastructure in light of recent high-profile hacks.
And while Apple Pay has yet to be put to a real-world test, some security experts--despite generally praising Apple's move as a step in the right direction--have already identified some potential risks inherent in the system.
"If correctly implemented it could add security benefits, but there could also be some gaping security flaws," said Chris Carlis, a security consultant for Trustwave. "We will see how it survives the initial contact with the enemy. .. It's not going to be a magic bullet that fixes fraud and security."
Apple didn't go into great detail describing the security aspects of Apple Pay when they introduced it this week. But there were a few things mentioned that shed some light on how the company plans to keep users' data safe.
For starters, Apple doesn't plan to store any of its users' financial information on its servers or in their device. Instead, the company is using a technology called "tokenization" to identify a user for payments.
Tokenization works like this: When a person adds a credit card to Passbook, instead of storing the user's actual credit card number, another account number is generated to identify the user.
This device-only account number is then stored in a new encrypted chip in the iPhone 6 and the iPhone 6 Plus called the "secure element." (The Apple Watch will also have a secure element chip that will be used to store the device account number when used with an iPhone 5, iPhone 5S and iPhone C).
This is significant because the secure element is actually in the device and not stored on Apple's servers, said Rick Dakin, CEO and chief security strategist of Coalfire, an IT data security firm.
Read More Apple stock downgraded on iPhone 6, Watch concerns
Because Apple doesn't store the credit card information, it is never shared with the merchant. So if a retailer's system is breached, the hackers won't have access to a user's financial information.
Given the recent hacks on major retailers, this could prove hugely beneficial. But other risks remain, experts said.
"Does this help prevent a nuclear bomb? Yes. When you are talking about a Home Depot-size breach, this could help prevent damage in a large scale attack," said Tom Pageler, chief of information security for DocuSign.
"But there are going to be smaller risks. People will find ways to try and take over accounts, whether it's by stealing a phone or using social engineering to hack an account or by getting a legitimate login."
Mobile payments have usually been done via an app or third party add-on and only a few were targeted, said Mike Park, managing consultant of Trustwave. But with this type of payment functionality built into an entire platform, every device becomes a target, Park said via email.
When Apple Pay launches, researchers (and hackers) will immediately start looking for weaknesses, and there is little doubt they will find flaws, said Bob Doyle, a security consultant at Neohapsis, a security and risk management company.
"Everyone wants a thinner wallet. But the flipside of this is that it makes the mobile device so much more critical than it was before," Doyle said. "Even digital wallets will be picked."
One possible security risk could stem from Apple's decision to place more trust in third party app developers, experts said.
Companies like Target, Uber and Groupon will incorporate Apple Pay into their e-commerce apps to facilitate purchases, which is another potential security risks, Pageler said.
According to Trustwave's Global Security Report, 96 percent of the applications scanned in 2013 contained at least one security vulnerability.
Apple executives also stressed during the event that the Touch ID feature found in the iPhone 5S and both models of the iPhone 6 could be used to verify payments, adding a layer of security. But since Touch ID launched in the iPhone 5S last year, there have already been experiments where the fingerprint reader was hacked.
Also, given that people can access Apple Pay with an Apple Watch, which can be used with older models of the iPhone that do not have Touch ID, the fingerprint security feature is not necessary to use the payment service.
"It's still to early to tell where there are security weaknesses," Doyle said. "The devil is always in the details. Until we see the protocols we don't know what the vulnerabilities are."
Apple declined to comment.