Not a week goes by without a major computer hacking happening where thousands if not millions of customer records are stolen or accessed. In this context, it can be queasy to switch to an electronic form of payment like Apple Pay which seems to virtualize our credit cards. Would this make it easier to breach or steal? Some people are asking this very legitimate question, so here’s my stab at answering this.
Classic credit card fraud/theft vectors
First, it’s important to understand that there are many ways that your classic credit card can be compromised today, ranging from its information being stolen from your email, to stolen from an account that you have with a vendor or simply a merchant who writes down your number, expiration date and 3-digit security code. With Apple Pay and other services like it, your account is not shown to a store employee or online merchant. There are many ways to steal credit card information, more than you would probably care to know about to rest at night.
Step 1 : enter your card information
To use Apple Pay you need to enter your credit card information into the phone. This information be encrypted using Apple’s “Secure Element” encryption method which is already in iOS. This would replace the smart chip present in certain credit cards.
Apple says that your credit information and your purchases never go to their servers. Because of that, there’s no chance that the information could be stolen due to an Apple data-center breach, like it was the case for Target and Home Depot breaches.
2/ Step 2: pay wirelessly
The payment will be passed from the phone to a point of payment over NFC, or Near Field Communications (using a computer encryption), a short-distance (a couple of inches) wireless communications standard which has parts of it coming from work done on RFID, another short-term wireless protocol which is used for product identification in warehouses, among other things.
These short-term networks use proximity as a first layer of privacy because their range is relatively limited: they listened at from too far away. That said, it’s been known that some RFID (Radio-Frequency Identification) passports have been hacked in the past.
You can imagine all kinds of hidden contraptions that could capture data going from the phone to the payment point (as shown by this wireless credit card hack), but this should be expected. Although such hacks don’t get the 3-digit security number and the user PIN, some information can be essentially read by any compatible reader. The real security feature here is the data encryption.
Computer encryption from 10,000 feet
I’m not 100% sure about which encryption flavor Apple is using, but if it is good enough for financial transaction then it is at least as strong as the encryption that protects your credit card payments today.
All these encryption systems run more or less on the same principle: there’s a system of very strong keys that can unlock the content, and without knowing them, the hackers/pirates can try to attack it by trying all possible billions or trillions of keys combinations (this called a “brute-force attack”), but it would take so much time to eventually find the right one that by the time they succeed, years or decades would have gone by (at least, in theory!), and the un-encrypted information is probably irrelevant by then.
The easiest way for hackers to steal credit card information is by hacking a vendor who has weak security, such as those who save user data with weak, or no encryption (sic).
Conclusion: more secure than a regular credit card
Unless Apple’s security architecture has a huge flaw, and since your credit card information is transmitted and shown to less people and stored in less places, there’s a good argument to be made that Apple Pay more secure than a classic credit card, simply because it is less exposed to typical theft vectors.
It is possible that someone steals your phone and tries to crack the password, but I can’t say that having a credit card in my wallet is more secure, on the contrary. That’s particularly true of places where cards don’t require a 4-digit pin to pay.
Additionally, Apple pay can use your fingerprint as a password, which is equivalent to a very long password.
Since most people are already comfortable with the level of security that classic credit card offer, the success or failure of electronic payment such as this one will, first and foremost, be as matter of “convenience” and not security.