Apple Pay Could Fuel iPhone Attacks, Say Experts

Printer-friendly version Email this CRN article

Apple Pay, the new contactless payment system that relies on the company's iPhone and the device owner's fingerprint, could spark a wave of attacks against Apple users who, up until now, have been relatively immune to mobile threats.

Apple Pay could take pressure off of retailers and shift it to Apple iPhone users who will be using their devices as a wallet, said Aaron Cherrington, a senior cyberthreat intelligence analyst at FireEye. Merchants that use NFC payments will only have a transaction number and token, rather than the valuable credit card number that thieves covet, said Cherrington in his analysis of Apple's payment system.

Thieves will need to find new ways to get at the sensitive data needed to create fraudulent credit cards once the new payment terminals are rolled out and become increasingly used, Cherrington said. Attackers could target vulnerabilities in third-party apps or create malware to record keystrokes and other data input into the iPhone, he said.

[Related: Apple Bets Security Will Drive Mobile Payments Adoption]

"As mobile payments continue to provide convenience and speed, the credit card as we know it will most likely evolve while we as consumers will increasingly rely on virtual wallets, payments and accounts," Cherrington said "As this shift in behavior occurs, we expect criminals to move with the trends and to continue to innovate or be shut out of the market."

Security researchers monitoring the threat landscape have documented a significant rise in mobile attacks over the past several years, but more than 95 percent of the activity is targeted at Android devices. Much of the activity has been in Asia, Eastern Europe and Russia where users increase their risk of an infection when they turn to third-party application repositories or download customized Android applications. 

Attackers have penetrated Apple's official App Store in the past, say security experts. Fire Eye, Kaspersky Lab and other security firms have identified custom malware designed to support cyberespionage attacks that target users of Apple devices.

Apple unveiled Apple Pay Sept. 9 for its iPhone 6 and iPhone 6 Plus. When the company turns on the payment system in October, some 220,000 merchants will be equipped to accept NFC payments, including McDonald's, Walgreens and Target. The company also has American Express, Visa and Master Card backing its payment service and several major card issuing banks, including Bank of America, Wells Fargo, Chase and Capital One. Apple struck deals while the payment industry is eagerly looking for new ways to reduce fraud following a string of high-profile breaches, including a massive security lapse of approximately 56 million credit and debit cards at Home Depot.

The latest payment schemes may require technology and architecture changes, solution providers tell CRN. The problem for retailers and other merchants is that spending for security typically only follows a serious security incident, said Paul Deur, a principal at New York-based managed services and security consultancy Eden Technologies. Deur said the pressure to add security technology following a data breach results in knee-jerk spending rather than careful risk analysis.

"If you are only responding you are constantly in a firefighting mode, and trying to plug holes in a leaky dam is no way to keep data secure," Deur said. "That strategy will eventually overwhelm you."

NEXT: Despite New Risks, Apple Pay Security Is Tight, Say Security Experts

Printer-friendly version Email this CRN article