Get All Access for $5/mo

How Hackers Could Get Around Apple Pay Security While Apple has taken security precautions, experts warn there are ways hackers can still get your data.

By Cadie Thompson

This story originally appeared on CNBC

When CEO Tim Cook touted Apple's new mobile payments service as "easy, secure and private," he was at least partially addressing public concerns over the company's security infrastructure in light of recent high-profile hacks.

And while Apple Pay has yet to be put to a real-world test, some security experts--despite generally praising Apple's move as a step in the right direction--have already identified some potential risks inherent in the system.

"If correctly implemented it could add security benefits, but there could also be some gaping security flaws," said Chris Carlis, a security consultant for Trustwave. "We will see how it survives the initial contact with the enemy. .. It's not going to be a magic bullet that fixes fraud and security."

Apple didn't go into great detail describing the security aspects of Apple Pay when they introduced it this week. But there were a few things mentioned that shed some light on how the company plans to keep users' data safe.

For starters, Apple doesn't plan to store any of its users' financial information on its servers or in their device. Instead, the company is using a technology called "tokenization" to identify a user for payments.

Tokenization works like this: When a person adds a credit card to Passbook, instead of storing the user's actual credit card number, another account number is generated to identify the user.

This device-only account number is then stored in a new encrypted chip in the iPhone 6 and the iPhone 6 Plus called the "secure element." (The Apple Watch will also have a secure element chip that will be used to store the device account number when used with an iPhone 5, iPhone 5S and iPhone C).

This is significant because the secure element is actually in the device and not stored on Apple's servers, said Rick Dakin, CEO and chief security strategist of Coalfire, an IT data security firm.

Read More Apple stock downgraded on iPhone 6, Watch concerns
Because Apple doesn't store the credit card information, it is never shared with the merchant. So if a retailer's system is breached, the hackers won't have access to a user's financial information.

Given the recent hacks on major retailers, this could prove hugely beneficial. But other risks remain, experts said.

"Does this help prevent a nuclear bomb? Yes. When you are talking about a Home Depot-size breach, this could help prevent damage in a large scale attack," said Tom Pageler, chief of information security for DocuSign.

"But there are going to be smaller risks. People will find ways to try and take over accounts, whether it's by stealing a phone or using social engineering to hack an account or by getting a legitimate login."

Mobile payments have usually been done via an app or third party add-on and only a few were targeted, said Mike Park, managing consultant of Trustwave. But with this type of payment functionality built into an entire platform, every device becomes a target, Park said via email.

When Apple Pay launches, researchers (and hackers) will immediately start looking for weaknesses, and there is little doubt they will find flaws, said Bob Doyle, a security consultant at Neohapsis, a security and risk management company.
"Everyone wants a thinner wallet. But the flipside of this is that it makes the mobile device so much more critical than it was before," Doyle said. "Even digital wallets will be picked."

One possible security risk could stem from Apple's decision to place more trust in third party app developers, experts said.

Companies like Target, Uber and Groupon will incorporate Apple Pay into their e-commerce apps to facilitate purchases, which is another potential security risks, Pageler said.

According to Trustwave's Global Security Report, 96 percent of the applications scanned in 2013 contained at least one security vulnerability.

Apple executives also stressed during the event that the Touch ID feature found in the iPhone 5S and both models of the iPhone 6 could be used to verify payments, adding a layer of security. But since Touch ID launched in the iPhone 5S last year, there have already been experiments where the fingerprint reader was hacked.

Also, given that people can access Apple Pay with an Apple Watch, which can be used with older models of the iPhone that do not have Touch ID, the fingerprint security feature is not necessary to use the payment service.

"It's still to early to tell where there are security weaknesses," Doyle said. "The devil is always in the details. Until we see the protocols we don't know what the vulnerabilities are."

Apple declined to comment.

Cadie Thompson covers all things tech for She has also written and produced for NetNet -- where she covered Wall Street -- and Consumer Nation, where she wrote about trends in consumer technology.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Growing a Business

The Top 5 AI Tools That Can Revolutionize Your Workflow and Boost Productivity

Discover the top 5 AI tools for marketing and content creation that every marketer needs to know.

Science & Technology

No More ChatGPT? Here's Why Small Language Models Are Stealing the AI Spotlight

Entrepreneurs can leverage this growing tech to create innovative, efficient and targeted AI solutions.

Starting a Business

How to Find the Right Programmers: A Brief Guideline for Startup Founders

For startup founders under a plethora of challenges like timing, investors and changing market demand, it is extremely hard to hire programmers who can deliver.

Business News

How to Build a Successful Startup, According to an Investor Who Made Early Bets on Twitter, Lyft, and Twitch

He's found a few patterns after nearly two decades of investing in startups.

Business News

How to Be a Billionaire By 25, According to a College Dropout Turned CEO Worth $1.6 Billion

Austin Russell became the world's youngest self-made billionaire in 2020 at age 25.