Experts: Don't use Apple Pay, CurrentC until crooks get a shot at them

While major retailers hem and haw about whether to use Apple Pay vs CurrentC, security experts say those concerned about their safeguarding their credit data might be wise to hold off using either of the payment systems until they've really been vetted for vulnerabilities.

While major retailers hem and haw about whether to use Apple Pay vs CurrentC, security experts say those concerned about their safeguarding their credit data might be wise to hold off using either of the payment systems until they've really been vetted for vulnerabilities.

"The bottom line is they're about as safe as your debit card is now," says Jason Polancich, chief architect at SurfWatch Labs, about these near-field communications (NFC) systems that let smartphones authenticate users and act as credit cards.

+ Also on Network World: Apple Pay vs. CurrentC: Which will retailers choose?; CurrentC already hacked +

Because some mobile payment systems like Apple Pay are brand new CurrentC isn't even generally deployed yet their security hasn't been tested much by the concerted efforts of attackers. "The criminals haven't had the chance to catch up yet," Polancich says.

But that will happen, says Marc Maiffret, CTO of BeyondTrust. "Surely Apple themselves have invested a lot of energy into securing Apple Pay, but as we have seen with previous technology releases, that does not mean they will have found everything."

He points to an earlier example of Apple putting forth a new technology fingerprint ID -- only to have it cracked soon after. "Surely Apple put some effort into securing that, but it was the security community that within a few weeks/months came to show how secure it was or not," he says.

In the case of CurrentC, attackers have already stolen email addresses of some participants in its trial program.

But, architecturally at least, Apple Pay and other mobile payment systems seem more secure than payment cards, says Ryan Olson, director of Unit 42, the Palo Alto Networks threat intelligence team. "The existing magnetic stripe system used for most in-store payments in the U.S. is much more vulnerable to theft and duplication than either Apple Pay or Google Wallet," he says. "As both systems use one-time identifiers for each payment and encrypt NFC communications, it's going to be much harder for an attacker to take advantage of these transactions."

There are plenty of places attackers will probe for weaknesses to exploit, Olson says. For example, attackers could go after the point-of-sale systems stores use to accept mobile payments in addition to the phones themselves, he says. Backend systems could also be hacked, but none of it is easy. "All three of these are more challenging to crack than the current POS systems we've seen in the headlines in the last year," he says.

Attackers could go after the fingerprint readers used for authentication on iPhones, says Tom Gorup, security operations center manager at Rook Security. So if a phone is stolen, an attacker could lift prints from it to defeat the print scanner, he says. "This attack can be completed simply with a laser printer, latex and some wood glue," he says.

Criminals will of course try standard attacks -- buffer overflow, man-in-the-middle, SQL injection to see if they will work against some elements of the systems, Gorup says.

Attackers are essentially businesspeople and will focus their efforts based on potential returns, adds Olson. "Until NFC-based systems become responsible for a large proportion of in-store payments, criminals will likely take the path of least-resistance and focus on the old technology," he says.

Meanwhile, Polancich says there are more effective, less technical means of keeping your credit purchasing safe rather than fretting over cards vs. mobile payments. These include diligent monitoring of accounts and credit status, updating passwords, using complex passwords and finding out how intermediaries store and purge your credit information. "It takes a lot of work," he says, but, "being on the ball with that can save you years of misery" that can result from having your identity stolen.

Letting these technologies mature before using them may be the way to go from a security standpoint, Maiffret says. "Some of the best advice to give to consumers in this space is simply to wait a while until the technology has been more thoroughly put under the microscope by researchers," he says.

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplesecuritybecaApple Pay

More about AppleBeyondTrustGoogleNFCPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place