A decade ago, a group of Johns Hopkins University grad students tried to hack one of the first commercially popular Near Field Communication payment systems – the kind of technology at the heart of Apple’s new mobile payment system. It took a few thousand dollars in gear and a few months of work. But the system, ExxonMobil's Speedpass, was entirely hackable.
The key was reverse engineering the computer chip that broadcast the payment information for Speedpass. With hacking gear loaded into the back seat of an SUV, the students were able to spoof the Speedpass key fob.
“We could then just go out and buy things in your name,” recalled Matthew Green, now a research professor at Johns Hopkins’ who specializes in cryptography. “It was a fun project.”
That may sound like a cautionary tale about the security of Apple Pay, which the company announced to fanfare on Tuesday as an efficient, secure new way to pay for a wide range of goods. But in fact, experts are excited about Apple Pay, arguing that it may herald a new era in transaction security and help end the rash of data breaches that have hit major retailers in recent years.
Why?
For starters, there are crucial differences between a Speedpass key fob and the iPhone that will be at the heart of Apple Pay. A key fob is dumb; it can transmit information but can’t do much else. An iPhone is smart; it can transmit information but also ask its user questions, such as: Do you really want to buy $75 worth of gas? To complete the transaction, the owner of the iPhone will have to confirm payment by placing a finger on the iPhone’s fingerprint reader, which comes standard on the iPhone 5S, as well the new iPhone 6 and iPhone 6 Plus.
This two-step process, experts say, could mark a major step forward in security of billions of dollars of transactions every day, particularly in the United States where antiquated credit card technology – long replaced in much of the world – is still the norm. This offers criminals mass hacking opportunities, as Target, Neiman Marcus, Home Depot and their customers have learned to their great dismay.
But more secure – even much more secure – is not the same as totally secure. Again, Apple offers a useful example. Security experts say iPhones are, in general, more secure than Android phones from viruses, hacks and government surveillance. But that superior security didn’t stop some sleazy, tenacious criminals from finding a way to steal intimate pictures from dozens of Hollywood celebrities and post them online.
The weak point in Apple’s photo security, several experts have concluded, was not the iPhones used for taking many of the pictures; instead it was Apple’s iCloud service, which is both newer and, less secure than the iPhone itself.
So what is the weak point in Apple Pay? Again, the iPhone itself has a strong set of security systems. The same may not be true of your thumb. People leave fingerprints everywhere, especially on the glass surfaces of their smartphones. Could somebody steal your thumb print and verify a purchase on Apple Pay without the actual iPhone’s owner knowing?