Apple Pay and Authentication

13258-a-hand-holding-money-pvAs I write this near the end of October 2014 Apple Pay is in the news again, mostly for its popularity and for the stores that won’t be using it. But another story got me to thinking more about it.

Let me begin by saying that my credit card number was “compromised” after a recent business trip. My card issuer noticed that someone tried to use the card in one state, in-between uses in another state (where I was). They cancelled the card, eventually sent me a new one and we verified all the legitimate charges. It was a time-consuming and unpleasant process, and of course it made me think about card security.

As I noted before, I love the idea of paying with my phone. Had I paid by phone or with a chip and pin card, the likelihood of my number being compromised would have been significantly reduced. There is, however, an issue with phone payments: the security of the phone. Somehow we need to endure that only the phone’s owner uses it for payments. A PIN would work, but that is a little awkward for some people. I use a PIN to access my phone when I use it to pay at Starbucks, though, and it is fine for me.

Apple Pay Security

Apple uses a fingerprint. Regular readers of this blog will know that I am a proponent of biometric authentication. One issue with biometrics is the ability to create false biometric tokens, e.g. fingerprints. This can be a serious issue. As the article on points out, Apple’s Touch ID (used to authenticate Apple Pay users who’d prefer not to use a passcode) is vulnerable to this kind of “spoofing”. If I had an iPhone (I use Android) this might make me worry.

Typically contactless payment systems have a transaction limit, usually under $50. That way a stolen card can’t be used to buy a car or tricked-out gaming PC. This limits the card-issuer’s liability and makes the system more viable. It has been suggested that Apple Pay, because it uses fingerprint or PIN authentication, does not trigger the limit and can be used for much larger payments (but probably not that Tesla you’ve been dreaming of…). If the fingerprint can be “spoofed” however, that lack of a limit may not be the safest thing.

I hope Apple Pay and other NFC payment systems succeed. I don’t like exposing my card info at the point of sale. But I also hope they choose proper authentication schemes so customers can make larger transactions reliably. As we discuss in Learning Tree Course 468, System and Network Security Introduction, authentication is a critical pillar of cybersecurity and it needs to be done right. Let us know your experience with NFC payment systems in the comments below.

To your safe computing,
John McDermott

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.