Apple Bets Security Will Drive Mobile Payments Adoption

The Apple Pay service unveiled Tuesday by Apple CEO Tim Cook holds promise in reducing credit card fraud, said security experts. But whether it will have a significant impact on cybercrime depends on a variety of factors, they added.

The alternative payment system needs to be fully supported by retailers and the credit card brands, a step where Apple appears to be making inroads. Security may be enough to gain adoption and support from merchants, but consumers will need to trust the Apple brand and see Apple Pay as a convenient alternative, said Avivah Litan, a vice president and distinguished analyst at Gartner. When it debuts in October, Apple will use tokenization, a process that would assign a unique token to the chip inside its Apple iPhone 6 and iPhone 6 Plus to eliminate the traditional credit card data used by consumers. It's a method that holds promise in reducing fraud and ending the litany of retail data breaches, Litan said.

"This could really hit the mark with consumers and merchants," Litan said. "Merchants are fed up with the breaches and consumers want to protect their personal data."

[Related: Mobile Security Smackdown: iOS vs. Android vs. BlackBerry vs. Windows Phones]

Apple Pay is also tied to its Secure Element payment process that it patented in 2011. Apple is using an embedded chip within the iPhone and Apple Watch to store a unique, encrypted token that is assigned to the device. The payment process uses NFC technology and ties a unique transaction code to the device token on the iPhone. Users also can opt to confirm payment using the device's fingerprint reader. Credit cards aren't completely going away, as iPhone owners can add credit and debit cards into Passbook and set a default card for payments.

Alternative payment mechanisms, including Google Wallet, an NFC-supported payment method supported by many Android smartphones, have suffered from poor adoption.

Apple Pay is linked to user Apple iTunes accounts, of which the company has approximately 800 million. If consumers trust the technology, it could have what it takes to spur adoption, Litan said. Apple said 220,000 merchants will be equipped to accept contactless payments. Apple has inked partnerships with McDonald's, Whole Foods, Disney, Target, Walgreens, Macy's, Sephora and others.
The biggest win for Apple, according to Litan, may be the support it received from major credit card carriers American Express, Visa and Master Card, which could provide incentives to merchants for accepting Apple Pay. Issuing banks are also on board, with Bank of America, Wells Fargo, Chase and Capital One listed as backers of Apple Pay.

Apple also needs to earn the trust of users, an area that may have eroded following the recent attacks against celebrity users of its iCloud service, Litan said. But If Apple has created a winning solution, Litan said she expects Google to follow up with a similar system. One nagging issue Google may have is that it doesn't control its devices. Handset manufacturers would have to work with Google to make it linkable with Google Wallet, she said.

Integrating with Secure Element ramps up security significantly by separating the most sensitive data on the device on an encrypted chip, said Andrew Hoog, founder and CEO of Oak Park, Ill.-based mobile security firm Viaforensics. Another feature that adds security is the ability of users to revoke the payment ability of a device through the Find My iPhone feature, Hoog said.

The retail industry has been reeling from a litany of recent credit card breaches, beginning with the security lapse at Target, which struck during the start of the 2013 holiday shopping season. Home Depot was the latest to confirm a data breach of its systems, and some security experts speculate the number of credit and debit cards associated with the breach, which is said to have started in April, to eclipse the 45 million believed to have been stolen from Target's payment systems. Attackers also struck at Neiman Marcus, P.F. Chang's Bistro, Michaels Stores and Goodwill.

NEXT: Solution Providers Welcome Viable Alternatives

Solution providers say alternative payment methods are welcomed but often face too many hurdles to reach widespread adoption. Encrypted payment terminals are already available, but they are costly to implement and lack broad support from credit card carriers.

Secure mobile payments is the best solution to eventually replace the "old, outdated and broken payment systems most retailers are struggling to maintain today," said Chris Camejo, director of consulting and professional services at NTT Com Security. Camejo said retailers are slow to adopt new technologies because of the expenses associated with ripping out widely used systems and often must maintain backward compatibility with legacy equipment.

"There's no doubt that the mobile guys already have the technology at their fingertips to put together a more secure system," Camejo told CRN. "The biggest hurdle has been adoption and carriers standardizing on it."

Any new payment methods, including encrypted payment terminals and new mobile payment options, also will be probed by cybercriminals for vulnerabilities and implementation weaknesses, said Camejo. Security researchers will look closely at the technology for ways to bypass protections and holes to manipulate it, he said.

For example, security researchers found vulnerabilities in Google's implementation of Wallet shortly after it was released in 2011. The holes were difficult to exploit at the time because a proof-of-concept demonstration relied on a rooted Android device, which lacked some security restrictions.

Some naysayers of Apple's approach may point out a rise in mobile security threats in the past several years, but studies have found that mobile security threats are low in the U.S. Criminals are often foiled by carrier restrictions and Apple's closed ecosystem. But there's no reason why cybercriminals won't target Apple Pay, said Mike Park, managing consultant at security vendor Trustwave.

"This expands the overall attack surface, making it attractive for criminals looking for vulnerabilities to exploit," Park said "It makes every device a possible target. It’s still very early, but with this new feature attackers are likely looking to steal identities and mass-harvest payment card information as they do in other platforms and verticals now."

PUBLISHED SEPT. 9, 2014