Apple Pay security: We find out if there are any risks using Apple Pay

Apple Pay arrives in July - here's what you need to know

The Apple Pay interface on your iPhone screen will be tailored to the outlet in which you’re making your purchase.

The Apple Pay interface on your iPhone screen will be tailored to the outlet in which you’re making your purchase.

Apple Pay arrives in the UK in July. Once in place, it will let you buy a coffee at Costa, open the gates on the London Underground, or settle your bill for a cheeky Nando's with nothing more than a tap of your iPhone or Apple Watch on a regular contactless reader. You can also use it in apps - but not on websites - to pay for downloads, tickets, and physical products scheduled for delivery.

Read: Apple Pay UK launch date, which UK banks and shops support Apple Pay, and everything else you need to know

But is it Apple Pay safe?

The short answer is yes. Apple wants us to think of its payment gateway the same way we think about PayPal or Visa. After all, it's only through gaining our trust that it will win our custom, and without our custom it won't earn commission from retailers.

To that end, it's spent a lot of time and money on making things secure. It's edging us all towards using six digit passcodes rather than four, and the only iOS devices through which you can authorise a payment are those with NFC (Near Field Communication) and the device-unique Secure Element chip built in. So, if you don't have an iPhone 6, 6 Plus, iPad Air 2, iPad mini 3 or Apple Watch, you'll have to upgrade - or stick to alternative payment options.

Can anyone get your card details from Apple Pay?

The Apple Pay interface on your iPhone screen will be tailored to the outlet in which you're making your purchase.

If you already have a credit or debit card registered with your Apple ID, you can add it to Apple Pay directly, so you don't need to send it again over the air. If not, or you want to add a new card, Apple encrypts the whole process from end to end, wrapping up the card details in a unique identifier before handing it over to your card operator.

Assuming you're credit-worthy, the operator sends back an authorisation key that's stored in the Secure Element in the iOS device or Watch. Secure Element, is an industry standard chip, so you're not relying on just Apple to maintain the technology, and because each one is unique to the device in which it resides, it reliably ties your device to your account. That way, the card processor knows exactly whose account to debit without passing your details over the network again or handing them to the retailer itself.

Is using Apple Pay on the high street safe?

So, the transaction is secure in transit as it's effectively useless data, but that's only half of the equation. Apple has also come up with a way to keep the physical interaction between your device and the reader safe, too.

Using Apple Pay in a real-world setup requires you to hold your iPhone or Apple Watch against the shop's contactless card device (you can't use an iPad in store). If you're using the Watch, you then press the side button twice to authorise the transaction or, if you're using the iPhone, you enter your passcode or use Touch ID to scan your finger.

As passcodes can now comprise more than just four digits, they're more secure than using a regular PIN, which has only 10,000 possible combinations if you include 0000.

Fingerprints offer even more protection. The likelihood of finding two people with the same pattern of loops and whorls stands at around one in 64,000,000, which means you're about four times as likely to win the National Lottery as you are to have a fingerprint that matches anyone else - and the chance of ever meeting that person... Well, it's unlikely and it's even more unlikely that they will get hold of your iPhone.

Fingerprinting isn't a precise science, though. Speaking to the Daily Telegraph in 2014, Mike Silverman, who rolled out the Metropolitan Police's first automated fingerprint detection system, explained that the process of identifying a print is more complicated that we might imagine. "No two fingerprints are ever exactly alike in every detail, even two impressions recorded immediately after each other from the same finger," he said. "It requires an expert examiner to determine whether a print taken from crime scene and one taken from a subject are likely to have originated from the same finger."

This has led to some miscarriages of justice when experts have declared two different prints to match, so it's perhaps fortunate that the detection performed by your iOS device is entirely driven by algorithms and doesn't rely on the skill of a trained eye.

Hack protection for Apple Pay

Apple Pay can also be used to buy products and services inside an app, but not currently over the web.

The fact you need to authorise the transaction before it can complete - and that your card details are never involved in the process - protects you from drive-by NFC hacks.

The Near Field Communication system is designed to connect quickly and easily to nearby devices, such as contactless card readers, with which it can share data. This has led some to posit that it would be possible to wave a card reader against your pocket and process a transaction automatically. This is exactly how NFC-based transport tickets work, allowing you to open a platform gate by tapping your card on a reader without entering your PIN.

We can't vouch for the security of every NFC-enabled device, but the checks and controls built into Apple Pay make this kind of attack all but impossible, as you'd have to physically authorise the transaction, and therefore be aware of it taking place.

How is the Apple Pay transaction authorised?

Once your code or finger are recognised, Apple Pay sends your card provider the key from your Secure Element, plus the amount you're spending and the merchant identifier, which is a double check, unique to that outlet, that ensures only they can receive the payment.

The retailer doesn't need to see your card details, and neither Apple nor your bank gets to find out what you're buying, so either half of the transaction is kept secret from the party who has no need to know about it.

If I lose my Watch or iPhone can someone make purchases?

If you lose Watch or iOS device, putting it into Lost Mode through Find my iPhone suspends the key stored in your Secure Element so nobody can make purchases on your account.

And despite all this, if you still fall foul of a scam - which will almost certainly be a case of human error - the most you can lose in the early days is a paltry £20. That will rise to £30 in the autumn when contactless payment limits not just for Apple Pay, but for all cards, will be boosted by 50%.

To use Apple Pay you will need to set up Apple Pay using the new Wallet app. Here's how to use Apple Wallet app.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleapplicationssecurityvisamobile securitypaypalsoftware

More about AppleNando'sNFCPayPalVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nik Rawlinson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place