Apple Pay's Biometrics Open a New Security Era for M-Payments


The future of payments is undoubtedly mobile and digital, as this week’s go-live of the Apple Pay service hopes to prove out. The idea is to enable frictionless, cardless commerce, and to do it in an ultimately more secure way than our existing magnetic stripes and password-based authentication mechanisms would offer today. Biometrics are a key part of enabling this, and, many say, the ultimate linchpin in establishing a trusted m-pay ecosystem.

On the back of the new iPhone 6 and the smartwatch, Apple made a splash last month with its Apple Pay announcement. The feature turns an iPhone into a digital wallet, which can store credit and debit cards, and enable the use of near-field communications (NFC) for payment. Instead of swiping a card, users can pay by waving or tapping the phone using a sensor—for a transaction that takes about 10 seconds, the company said.

Apple estimates that 83 percent of all credit card purchases will be compatible with the service (though for now, only 1 percent of retailers support it today, and you can only leverage it on an iPhone 6). Initial participating retailers include McDonald's, Uber, Whole Foods, Babies R Us, Macy's, Walgreens, Disney, Nike, Staples, Subway, Panera and Sephora; and on the card processing side, Visa, Mastercard and American Express are all on board. Bank of America even sent emails en masse to its customers alerting them to the fact that the capability is now live.

As a security measure, checking out requires users to touch their finger to the iPhone's fingerprint sensor to approve the transaction; the card stored on the phone will then be charged automatically. The information on the phone itself is protected by something that Apple calls “the Secure Element,” which is its own version of a trusted platform module (TPM)—that is, a secure cryptoprocessor designed to secure hardware from within. Account numbers meanwhile are not sent to any Apple servers or shared with retailers, who instead get a proxy account number. And, each of these data-in-transit transactions is protected by a one-time code. In case of loss or theft, users can disable Apple Pay via iCloud's “Find My iPhone” feature. That’s key considering that Americans lose their phones once every 3.5 seconds, according to Lookout Security.

It’s the biometric aspect that really makes the proposition work, according to security researchers. Google Wallet for example has been around for a while, but lacks a hardware integration strategy that makes the service more personal, and therefore trustworthy.

Biometrics on the other hand offer a high level of authentication, and, crucially for consumers, eliminate the need to have-to-remember passwords, which may be shared or observed. In the payments scenario, biometrics combined with digital wallet approaches means that cards are no longer part of the mix; given that most major data breaches, from Target to Home Depot, have hinged on hackers lifting card data from point-of-sale machines, this would seem to be an attractive aspect.

Terry Hartmann, vice president of security solutions at Unisys, told me at the company’s Universe summit last week that moves like Apple Pay enable a culture of trust in a way that is reminiscent of small-town America.

“It used to be that everyone in town knew you, so if you went to the corner store, and wrote a check, that was automatically trusted because people knew you, knew your handwriting, and it was unequivocally you,” he explained. “Biometrics, by linking a person, and only that person, to a device, does much the same thing by creating a personalization that just isn’t there with the physical plastic that you carry around in your wallet. I’d much rather have everything stored on my phone, in an environment that only I can access, just by virtue of physically being me.”

Biometrics Beyond Apple

This could become a commonplace approach to payments, and soon, especially considering that Apple won’t be alone in the fingerprint sensor arena for long. Samsung announced back in April that it will use the S3 Authentication Suite from Nok Nok Labs to make the Galaxy S5 smartphone Fast IDentification Online (FIDO)-enabled. The FIDO set of specifications will support a full range of authentication technologies, including biometrics such as fingerprint, eye and iris scanners, voice and facial recognition, as well as further enabling existing solutions and communications standards, such as trusted platform modules (TPM), USB security tokens, embedded secure elements (eSE), smart cards, Bluetooth low energy (BLE) and near field communication (NFC). The open specifications are being designed to be extensible and to accommodate future innovation, as well as protect existing investments.

Samsung is already teaming with Alipay, the largest third-party online payment provider in China, to soon enable secure online payments via the fingerprint sensor (FPS)/biometric technology on the Samsung Galaxy S5 smartphone. The end result will be that customers who make purchases and transfers in Alipay’s mobile application, Alipay Wallet, no longer need to enter a password. Instead, they provide their fingerprint.

Other biometrics-enabled rollouts should be coming soon: The Nok Nok solution was delivered in partnership with device giant Lenovo Group, a founding member of the FIDO Alliance, and PayPal also recently announced that it too would deploy FIDO standards using Nok Nok and support for the Galaxy 5 in the mobile payments market.

Is Biometrics Enough?

While the fingerprint sensor unequivocally links an individual to a transaction or event, there are hacks available to get around physical security—a thief can take a photograph of a person’s fingers, or lift a fingerprint off of a stolen device, and use 3D printing to create a rubber replica that the phone will accept.

While that’s a process, and fingerprints remain hard to forge even in that scenario, some say that cybercriminals are bound to test Apple Pay’s security structures to the limit, giving the market object lessons along the way.

For instance, “users add credit cards to their iPhones by taking pictures of them,” Daniel Ingevaldson, CTO at EasySolutions, told me in an email. “As Jennifer Lawrence and others can attest to, Apple’s ability to securely store and transmit those photos remains to be answered. Depending on how they are being stored and transmitted, it would not be surprising to see malware developed around this mechanism.”

There is a learning curve for everybody - merchant, consumer and hacker alike, he added. “With such an attractive, potentially lucrative target at stake, it is only a matter of time before these systems are found to be vulnerable,” he said. “The only question is, who will find the vulnerability first?”

There are also looming security concerns—will banks also start paying more attention to device health? “Visibility into the status of a device, potentially malicious apps running on it, etc. is going to be more important going forward,” Ingevaldson said.

All of this will prompt a faster adoption of a multilayered approach—a layered security framework with many authentication methods—according to Hartmann.

That’s a ways off from coming into use, “as financial transactions get more personalized and safer with biometrics, banks can start looking at a scalable identity and biometrics framework that integrates fingerprint, face, iris and signature for identification, verification and watch lists,” he explained. “The system works by combining the biometric, biographic and account data and matching it to arrive at one unique identity.”

For instance, the system establishes a level of trust for a user and transaction requested from a smartphone based on contextual information such as GPS, type of transaction, date/time and historical trend. A risk score is then calculated for the transaction and the user by interfacing with an existing risk management system. If the confidence level is adequate for the risk level then the request is approved, else the system asks for biometrics such as face or voice or both.

With so many questions surrounding the safety of mobile commerce, Dodi Glenn, the senior director of security intelligence and research labs at ThreatTrack Security, offered us some security tips:

  • Treat your mobile device like you treat your computer; password protect it.
  • Don’t use a public Wi-Fi network to access your financial applications
  • Treat your mobile payment device like you would cash or your wallet. Don’t let just anyone use it since it holds a lot of financial power.
  • If you do choose to access your bank accounts with the device, download and use the providers’ apps rather than visiting their sites through a web browser. The bank will have developed the app and will own the security behind it, which is much more trustworthy than browser security.
  • Disable bank password auto-fill options. While it may be a hassle to re-enter your password each time you visit a site or application, it’s a much more secure practice in case your device is compromised.
  • If you do happen to lose your mobile device, use the remote wiping feature to clear your phone or tablet.

Edited by Maurice Nagle
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

TechZone360 Contributor

Related Articles

Why Block Websites? Understanding the Reasons

By: Contributing Writer    5/6/2024

The internet is such an expansive network where every click can lead to information, entertainment, or opportunities for productivity. However, this a…

Read More

ChatGPT Isn't Really AI: Here's Why

By: Contributing Writer    4/17/2024

ChatGPT is the biggest talking point in the world of AI, but is it actually artificial intelligence? Click here to find out the truth behind ChatGPT.

Read More

Revolutionizing Home Energy Management: The Partnership of Hub Controls and Four Square/TRE

By: Reece Loftus    4/16/2024

Through a recently announced partnership with manufacturer Four Square/TRE, Hub Controls is set to redefine the landscape of home energy management in…

Read More

4 Benefits of Time Tracking Software for Small Businesses

By: Contributing Writer    4/16/2024

Time tracking is invaluable for every business's success. It ensures teams and time are well managed. While you can do manual time tracking, it's time…

Read More

How the Terraform Registry Helps DevOps Teams Increase Efficiency

By: Contributing Writer    4/16/2024

A key component to HashiCorp's Terraform infrastructure-as-code (IaC) ecosystem, the Terraform Registry made it to the news in late 2023 when changes …

Read More