Apple Pay Cyber Security Case Study
Findings on Apple Pay
The use of banking cards has increasingly gained popularity among the citizens as a suitable means of payment, more so in point of sale (POS) systems in the developed countries including the United States. Right from its introduction in 1980s, over 58% of the total sales and 32 % of transactions in the United States are paid using debit cards as observed by Sullivan, R. J. when looked at how to control security risk and fraud in payment systems in 2014.
The growth in the use of banking cards has also increased the vulnerability of the banking card users to fraud, especially through skimming fraud. According to Reynes B. W. in 2013, when he did a journal about online routines and identity theft victimization, since 2008 when over $361 million was compromised, there has been a great decline in frauds taking place through banking cards. The achievement may have been due to different measures that the financial institutions may have put in place to combat cyber security gaps.
The cyber criminals have made it difficult for the electronic card users to make their payment without fearing that their information may be trapped, which may lead to their finances being stolen. Though the introduction of the apple pay in October 2014 reduced the rate of the cybercrime, the fraudster has since gone a step ahead to discover how to manipulate the security system to enable them access the users’ digital wallets.
The susceptibility of these cards to fraudsters has been attributed to their increased in the use of magnetic stripes or mechanical data imprints that read as well as record the data as highlighted in the study by Sullivan R.J. in 2014 when he looked how to control security risk and fraud in payment systems. The magnetic strips/the mechanical data imprints are capable of recording the clients’ details including the signature, which are supposed to be used for verification of customers’ details. These details can also be the source of information that the cyber criminals use when they want to steal from the unsuspecting clients as per the journal on online routines and identity theft victimization done by Reyns, B. W. in 2013. It is due to this susceptibility that has made the apple pay gain popularity among the users. Since 2014, Apple Pay has attracted more users and commanded a larger share of the market as compared to its competitors.
The perceived convenience of the wallet and its security features are some of the most appealing factors that has enabled it to attract more clients to use it as payment alternative. Despite this steady growth in its popularity, most of the customers still don’t understand much about the digital wallet and its use. This has hindered its effective use, especially with respect to security issues.
The rapid adoption of iPhones has made the use of apple pay technology to achieve what most other rival companies had never achieved. It has attracted more customers to embrace the idea of paying for their product or services online. However, as observed by Bischoff, V. in 2015 when he did a research on how safe it is to pay for shopping using new Apple Pay service, the increase has also posed a greater challenge to the company on how to ensure that their clients’ money is highly secured. As much as it has made a high number of retailers to accept the use of digital wallet as a more convenience and secure means of payment for their customers, they still have issues on how to make it more secured.
Bischoff, V. in 2015, further revealed that over 60% of the customers who uses apple pay uses it a number of times a day, as compare to those who uses pay pal, which translated in to 1.4 times better than the other pay. The study further observed that there is still exist a possibility of the figure changing in future to be 5.3 times above the users of other means of payment.
The study was therefore to look at the measures that the Apple pay may have put in place to improve the security of their system and increase the level of confidence among their clients. It examined the improvements that they may have put in place to reinforce its cyber-security, their wallet’s cyber-security limitations, and components that they may have used to develop the security provisions to protect clients’ information. It was meant to look at the measures that may have been put in place to ensure that the customers money is safe, and will remain like that as long as they continue to follow the laid down procedures while using their digital wallets.
The study sought to answered the questions that relates to how the apple pay cyber security compares with the traditional banking cards, the security policies that may have been put in place to protect the customers banking cards, as well as the measures that may be applied by the apple pay to improve their security system when it comes to online payment. Their clear understanding will help in re building the customers confidence in using the digital wallet. It will assure the users that none of their details will be able to pass through the air during any of their transactions, as was observed by Kim, Y., Park, Y. J., Choi, J., & Yeon, J. in 2015, when they did an empirical Study on the Adoption of “Fintech” Service.
There exist different methods that the apple pay have put in place to ensure that their customers’ finances are safe from the claws of the hackers. Some of the measures includes the use of secure touch Id, and continual skin contact on devices such as the Apple watch as outlined by Gray, J. M. in 2015, when he examined how apple pay coincides with the consumer financial Protection Act. The study was therefore to determine how the measures that may have been put in place works towards ensuring that the high-level security is achieved.
According to the study by Gregson, M. L. in 2016, on the need to regulate apple pay, the cyber fraudsters are constantly improving their skills to ensure that they are able to overcome any security measure put in place to stop them from committing their crime. apple pay therefore needs to be constantly reviewed to ensure that their users feel safe. The study revealed that just like the traditional banking cards, the digital wallet does not copy or emulate various signals when payment is being made. It uses tokens instead of the actual details on the cards, which makes it not to be vulnerable for the cyber criminals to manipulate and rob the unsuspecting users.
The other security layer that makes apple pay to be different from the ordinary bank cards is its ability to use the finger print as a security check as seen in the study by Gray, J. M. in 2015. Apple pay also employs the use of Near Field Communication (NFC) which Gray, J. M observed that offers an additional security for the customers against the hackers.
The issues that may have hindered the continuous use of the traditional bank cards was the sending of the magnetic signals or mechanical data imprint which is capable of duplicating the customers’ information for verification at the point of sale. This made it to be highly susceptible to cybercrimes by the hackers. The attackers with interest targets these banking cards when being used to make payments, obtain their card numbers and rob the unsuspecting card owners. It is this high level of vulnerability that the apple pay technology is trying to protect its customers from.
The apple pay on the other hand, does not send magnetic signals when payment is being made. According to the study done by Alexander, M. in 2016 on apple watch campaign, the sending of the magnetic signals by the old cards from one card machine to the other has been seen to be one of the weak point which the hackers use to commit cybercrimes.
The apple pay technology seeks to ensure that no unauthorized person get access to the clients’ information which may be dangerous for the customers. The measures that it has put in place is to enable it achieve the best security standards and allow its clients to enjoy the use of the digital wallets. Though the study acknowledges different security measures that have been put in place, it challenges that there are still some issues which still needs to be addressed before the technology could be considered full proof. The study agrees with the findings of Alexander, M. in 2016, that the verification of the account owner through the use of the users’ identities still needs to be improved.
The study also faults the ease of apple pay account application process is also likely to compromise the cyber security of the wallet. The ease of opening an apple pay account, always offers the cyber criminals a safe haven to commit their crimes. It makes it difficult for them to be traced while using apple devices, enabling them to hide within the barricades of the hard to track digital platform of iPhones as outline by Wagner D. & Disparte, D.in 2016 when they looked at the cyber risk.
Apple pay has been considered to be one of the payment alternative that tends to make the client transactions to be secure using an inbuilt security element embedded in devices that are compatible with the payment service. They are fitted with a certified chip that runs on a Java card platform which makes the system to be more secured as revealed by apple pay security and privacy overview in 2016. The use of this tough measure has made the company comply with the current financial industry requirements to guarantee the security of cashless payments. It has also made the customers to feel more comfortable while using it. The study also revealed that it is the use of this secured element that has made its use to accepted by most of the clients.
The Security Policies that Apple Pay has put in place to protect their clients.
In enhancing the security of the apple pay, the service providers need to understand the main challenges and greater concern that the users may be undergoing though with system. The improvement made on the technology is to make customers re build their confidence while using the technology to obtain Social Security Numbers, or check their bank account to enable them access health data.
Apple pay has ensured that their clients information is properly protected from the threats posed by various applications in the internet. These applications are capable of identifying the customers that uses the apple pay service through their devices. The firm has provided their clients with the ability to hide their identity while using the system by deactivating the provision in their devices that could allow for this trace back. They believed that it is the inability of the hacker to acquire the users’ information that help in keeping them out of the users’ accounts. The service providers have therefore put in place the following measures:
Introduction of rate limiting
The apple pay is trying to improve their security system by introducing the rate limiting. According to the study by Fox-Brewster, T. in 2016 on Forbes Welcome, rate limiting is a technique that is capable of preventing fraudsters and hackers from getting access to the users account by tasking them to guess the missing information that may be required to activate the process. The critical information is only known to the user and the services does not make it easy for the attackers to access it or guess it. This is achieved by controlling the traffic rate sent or received by network interfaces controllers.
The setting of rate limits on a set of anatomy detection has also helped in securing the users information. It has made it a bit technical for the hackers to access the customers’ accounts, as they will have to guess the password for a number of times. If for all these times the guessed password is not correct, the account will automatically be locked, and the hacker will not have an access as observed by Jeffus in 2015. To protect the customers further, the system sends an email or a text message to the phone of the victim to inform him about the malicious activity that may have led to the loss of his/her finances, the study by Fox-Brewster, T. in 2016 revealed. The firm has also put in place a tool that can enable them detect the occurrence of malicious activities to strengthen the security services been provided by banks.
The use of Tokenization
To protect their clients bank cards, the apple pay have embraced the use of tokenization in the place of actual credit card data. Tokenization is, therefore, the process of substituting sensitive pieces of data elements with similar non-sensitive data pieces known as tokens that lack any exploitable or extrinsic significance has outlined by Galibus T., Krasnoproshin, V. V., Oliveira Albuquerque, R., & de Freitas, E. P. in 2016. The use of tokens has enabled the information sent or collected by apple pay only to be used to create apple pay profiles. The information entered through the insight camera or typing is therefore encrypted with a key first before sending it to apple pay servers. The technology also ensures that the date entered through phone is also erased from the device completely. Apple Pay security and privacy overview in 2016, confirmed that the encrypted information’s is finally used to generate the security codes necessary for each transaction made. The information sent is stored in the secure element where it is used for all future transactions without the need to use the actual details of the bankcard.
The tokens are seen as the information references or identifiers that can trace back to the withheld sensitive information through an elaborate system of tokenization as observed by Naik in 2016. The fact that the tokens are permanently irreversible, they develop them from random numbers which is not easy for the hackers to replicate. The presence of the tokenization system within the platform of Apple Pay does not mean the system is automatically secure. Its usage must therefore be managed properly and with a range of security practices to ensure that it is fully secured. The management should not only focus on the authentication process, but also proper authorization, and auditing process among others.
The use of tokenization system by the firm together with the use of authentication, authorization, and auditing mechanisms among others have therefore helped the apple pay to highly secure their data, by protecting their sensitive data. The policy of tokenization where the system gives interface and authorization to data processing applications has helped in eliminating the possibility of the clients’ bank card information ever being used in the transaction.
The use of Near Field Communication Technology
Apple pay have also embraced the use of the Near Field Technology to reinforce their security. The use of near field communication technology has made the apple pay to play a major role in payment ecosystem. It has made the customers feel secured while making their transactions using the service. This technology only works across short distances, and always prompt the user to issue permission before any transaction is made as observed by Zeng in 2016. It has ensured that at the point of sale, the bank approves the request of payment before the service verifies the client’s payment information. The apple pay then cross checks and matches the dynamic security code of the client to ensure it is unique to their devices. This reduces the hackers attempts by providing the owners of the apple pay clients with abilities to hide their possession of the accounts. This is because there exist a range of browsers and applications that can automatically identify if the customer is using the apple pay, which may make it easy for the hackers.
The hackers are in constant search on how to improve their practices above the developed security systems, more so for the ones that have been considered best. This implies that even the apple pay tokens are not exempted from the attackers trying to reverse them. The use of near field technology has therefore helped the apple pay service providers to ensure that their tokens remains irreversible. It has allowed them to cross checks and matches the dynamic security code of the client to ensure it is unique to their devices. The introduction of the use of near field communication technology is therefore a proof that the firm is not ready to take chances with their customers’ security, and are willing to maintain strict security protocols to shield their clients from any vulnerability cyber attackers may have identified in the payment network.
The use of strict terms and conditions for the third party
The apple pay has also put it as a condition for the other third parties’ companies which they collaborate with, that the users should ensure that they erase all their personal information contained in their apple pay accounts when they swap or change their Apple devices. This is to minimizes as much as possible, the possibility of the hackers getting access to their information which may be the source of their insecurity. The move is to ensure that the users don’t share any login or related information at any time, as this could be used to compromise their accounts. The information relating to the users’ apple pay accounts must remain private and never be disclosed even if asked by the bank staff as outlined in the regulations of the Barclays bank in 2016. The customers are also required not to use the service in their apple devices which has its operating system altered.
Apple device Authentication
The authentication requirements that has been put in place for the customers before they register for the service is very high. they are required to have a passcode set on their devices as a way of ensuring that their security is enhanced right from the beginning. According to Gray, J. M. in 2015, apple pay has in place the mechanism to ensure the use of some biometric authentication features such as the touch, which involves the use of fingerprints, or even continuous contact with the skin as a way of activating the transaction process. The transaction activation process may not be easy for the hackers to compromise.
Anonymity during the transactions
The apple pay has ensured that the data collected from the client during the transaction process cannot be traced back to any of the apple pay client but remain in then anonymity state. The information that in many cases is gathered from the client purchase transactions especially where they buy from the adverts posted by the digital service, if can be traced back to the particular client may put the customer’s account at risk.
Removal of digital wallet account
In case the apple pay customer losses his/her device, the digital payment service will automatically suspend his/her account immediately the device is placed in lost mode. This is able to allow the user deactivate his/her card should the device not be found. It provides them with the liberty to protect their cards from being accessed through their devices by strangers, as was observed by Urien & Aghina in 2016. The company views the loss of the device to the loss of an account or bankcards, which cannot just be ignored without taking action. The company has made it possible for the user information to be disconnected even in the absence of the Wi-Fi or cellular network, as was indicated by Apple Pay security and privacy overview in 2016. The payment service even allows the users to contact their banks to have their debit and credit cards from the apple pay digital platform.
Compliance with the client data financial regulation
The firm has also implemented some of the best approaches to defend clients’ bankcard information, especially with respect to ensuring that the user interface through which the customer bankcard information can be collected is secure from cyber security threats such as screen scraping malware and keystroke logging malware, as was indicated by Ngu & Scott in 2015. This has allowed for the maintenance of tight security on the user information during user registration.
The fingerprint authentication techniques serve as one of the most critical components of the secure ID of the payment service. The finger print touch ID is more secure because it does not store actual images of the fingerprints, the study outlined. Putting all the measures in place has made the apple pay to comply with the international financial client data regulation. Thai has made the system to be considered effective. The apple pay’s desire to minimize cybercrimes and ensure that the clients’ money is safe has been manifested in the fact that they have gone ahead to register with crime enforcement networks, together with a range of anti-money laundering programs. They have confirmed their commitment to safe guarding the clients’ money.
What Apple Pay still needs to Improve On
Use of secure coding
The study realized that there are some measures that the company still needs to put in place to ensure maximum safety of their customers’ digital wallet is achieved. The measures are identified as the use of Secure Coding. Scholars have argued that the weakness in the software codes may be the weak points that the attackers may target to overcome their security system. The study by AliShirvani, N., & Mortazavi, B. in 2016, on guaranteeing of trust and security in e-commerce by means of improved set protocol, observed that the malicious attacks through vulnerabilities in the software is the main avenue that the attackers are exploiting to succeed in their plans. They advised that the apple pay may have put in place several measures to enhance their security, they need to ensure that they adopt the use of secure coding system to ensure that their software does not become vulnerable to the attackers. The measures that they have put in place is likely to attract hackers who will be trying to prove that their security system can still be cracked
The Near Field Communication Technology
The firm still needs to address the security flaws of near field communication technology. The adoption of the use of near field communication has helped the apple pay company to improve their security. However, there are challenges that this technology poses which has to be addressed. Key among the issues that needs to be address is eavesdropping, that if not addressed, can easily compromise the security by allowing the third party to intercept a single being shared across two devices, which may allow the attackers to obtain clients’ token information and purchase data at points of sale as mentioned by Coskun, V., Ozdenizci, B., & Ok, K. in 2013, on their survey on near field communication (NFC) technology. The gathering of the client’s token information is enough to facilitate the attackers with information that may make them trace back the client’s bank card information, making the client to be vulnerable.
The near field communication technology is also capable of exposing the clients to the risk of a denial service attack due to the attackers’ motivation to steal the user information, or delivers the clients information as incorrect or modified. This may in turn make the user’s request be declined as was found by Wagner, D., & Disparte, D. in 2016, on the cyber Risk.
The near field communication technology is also highly prone to the smartphone virus. The fact that it has attracted many users and has been praised by so many, the attackers have seen the many transactions that takes place in the apple pay to be a motivator for the hackers to come up with a virus. They know that a virus like Trojan has the ability to corrupt the system in a manner that may allow them acquire the client’s information, as was further indicated by the study by Coskun, V., Ozdenizci, B., & Ok, K. in 2013. It therefore calls for the apple pay to find alternative platforms that will offer high levels of security in contactless payment or make efforts to cover the flaws that introduce the mentioned security vulnerabilities.
There is also a need for the company to constantly look at their multifactor authentication to ensure that they are still up to date and are compromised. As much as the use of the pin code and the biometric data to get access to the device is among the greatest security system that the apple pay managed to put in place, it may not offer the full proof security system that they may have wanted to put in place. The scholars argued that as much as the system may have made it easy for the clients to replace their pin or password should it get lost, there is a big challenge should the clients lose the biometric data. The clients profile may be lost forever or be compromised beyond retrieval should their biometric data be stolen, as argued by Holden in 2016. The system as it is may not be able to handle this situation, and the clients’ information may not be safe.
Improving the finger point authentication process
As much as the use of fingerprint authentication process improved the security level of the service provider, the research found out that the use of fingerprint is not entirely secured a such. Though the images of the scanned finger prints are not stored on the device, the data about the finger print though in encrypted format is stored on the device. Cheng in 2016 argued that the hackers are able to developed a cloned fingerprint from the encrypt information stored in the device. This therefore means that the service provider still needs to do more work to ensure that the hackers cloned fingerprint does not bypass their security and illegally access the clients’ information.
The ease of creating account with apple pay
The ease with which people can create accounts without proof of identity has been seen to have made it easy for the criminals to load credit cards or debit cards on apple devices, take advantage of the absence of the bank authorization requirements, and use them to make fraudulent purchases. Filmoer in 2016, confirmed that as much as it may be difficult to clone credit and debit cards, as well as use them to make purchase, it is not impossible. It therefore means that the apple security can still be cracked and the hackers may use fake cards on their platform. The firm should therefore look for a way of limiting as much as possible the successful use of fake cards on their platform. They may adopt other means of verification within the systems to supplement the apparent weakness of using the banks to verify the validity of the cardholders. The registration process should be strict to ensure that only the real owners of the accounts carry out the transactions.
Most of the security breaches may also be as a result of the users in ability to use the device properly, as well as following the laid down security procedure. This may be stopping them from enjoying fully what they should have enjoyed from the device. Educating them on how best the device should be used as well as how to enhance their security while using the devices is very much important in ensuring that the hackers are kept at bay. Scholars have proved that the use of customers’ awareness and training programs organized by the firm and through the media is very important in ensuring that the customers know what they are supposed to do at each and every point.
New security indicators
To avoid the scenario of the customer using an untrustworthy application which may endanger their vital information by revealing them to the hackers, the apple pay company can come up with a new security indicator that that may be able to identify the trust worthy brand of the software. This will help in reducing the risk of using unsecured application.
Suggestion for Further Studies
The study looked at how best the apple pay company has packaged their products to make it suitable in the market for their clients. Being that they don’t operate alone in the market, they have to ensure that their products are meets the expectations of their customers, more so when it comes to security issues. The study determined that a lot of security measures have been put in place by the company to ensure that they remain the best in the market. Key among their strategies are those that are meant to ensure that their clients account information is kept safe away from the reach of the hackers.
The point of concern is that if the hackers can get access to the customers’ information, then they will be able to access his/her account which may be dangerous for the customers. Their score point in the market is their ability to ensure that even at the point of sale, proper verification of the customer is done without duplicating the customers’ information which may further be used by the attackers to crack their accounts security codes.
The study discovered that the apple pay take keen interest in all the aspect of their clients’ security and through their third party’s terms and conditions, they have ensured that even their trading partners also meets their required standards when it comes to security issues. They have ensured that they also meet a given standard before they operate with them, as outlined in Barclays bank. As a way of winning the customers faith and continue to win the retailers trust as one of the best means of making payment, they have ensured that their operations meet the international required standards. This has shown how best the apple pay company is trying not only to eliminate the cybercrimes, but also revolutionize the online payment methods.
However, the study also realized some of the gaps that the firm still needs to address or improve on. The apple pay’s main challenge that they have to deal with is the large market size which they have acquired, with a huge customers’ base which uses their service daily. This has made it be a great point of target for the hackers to research and find a way of getting their fingers on their finances. This therefore implies that the loopholes that have been identified in the study could be the main points that these attackers may be targeting.
The firm’s approach has focused so much on the improvement of the mechanical aspect of their devices, how to make the accounts secured, hoe to make the device function well, how to ensure that the date is safe, and so on. But they have not taken much of their time to look at the human components, to enable the consumers know what they are not supposed to do to compromise the security of their accounts, how they should use their devices in a manner that may make them get maximum benefit from the devices, and how they can improve their own security. This may be the missing link that they need to ensure that their security withstand the test of time. Being that they operate in a more dynamic environment, there is a greater need to constantly be ahead of the hackers to ensure that their customers do not lose their resources.
Having looked at how the apple pay differs from the other traditional banking cards, as well as the measures that the service providing firm have put in place to ensure that their customers’ finances are secured and the system remains the most preferred in the market, we still feel that the study may have not been conclusive enough in determining among the factors, the most important one that the firm cannot compromise on no matter what. As much as they may have put in place a number of security policies, there are some policies that may be very critical that they can compromise on. A study should therefore be conducted to find out if these factors exist, and how best they handle the situation to ensure that they remain at top.
Being that apple pay operate in a more dynamic platform, there is need to determine how they cope up with the current trends that takes place in the industry, as well as the issues that arise from these trends. A study can therefore be carried out find out how the service providing firm strategies to handle the emerging issues and cope up with current developments in this field.
Apple pay has put so much to improve their security to benefit their customers, but are their customers appreciating the effort they are putting in place? What impact has this had on their customers base? What are their users’ perception about their services? If a study can be done to answer the above questions, it can be very important for the companies to know either their efforts are rewarding or not.
Otherwise, based on the findings of the study, on a scale of one to ten on security issues, where one is weak, and ten is excellent ways of handling the security issues. We rate them at nine. They have done so much to protect their clients, and they are still committed in making their clients enjoy their services.
- Alexander, M. (2016). Apple Watch Campaign April 22, 2016 Megan Alexander, Sammi Cowger, Brett Haskell, Kylie Leonard, and Abbey Venable.
- AliShirvani, N., & Mortazavi, B. (2016). Guaranteeing of trust and security in e-commerce by means of improved SET protocol. Bulletin de la Société Royale des Sciences de Liège, 85, 1136-1147
- Apple Pay security and privacy overview. (2016). Apple Support. Retrieved 18 November 2016, from https://support.apple.com/en-us/HT203027
- Bischoff, V. (2015). How safe is it to pay for shopping using new Apple Pay service?. This is Money. Retrieved 16 October 2016, from http://www.thisismoney.co.uk/money/saving/article-3117398/How-safe-pay-shopping-iPhone-explain-Apple-Pay-service-works.html
- Coskun, V., Ozdenizci, B., & Ok, K. (2013). A survey on near field communication (NFC) technology. Wireless personal communications, 71(3), 2259-2294.
- Fox-Brewster, T. (2016). Forbes Welcome. Forbes.com. Retrieved 18 November 2016, from http://www.forbes.com/sites/thomasbrewster/2016/03/01/apple-pay-fraud-test/#30f2022d3c15
- Galibus, T., Krasnoproshin, V. V., de Oliveira Albuquerque, R., & de Freitas, E. P. (2016). Cloud Storage Security Mechanisms. In Elements of Cloud Storage Security (pp. 37-68). Springer International Publishing
- Gray, J. M. (2015). How Apple Pay Coincides with the Consumer Financial Protection Act: Will Apple Become a Regulated Entity. J. High Tech. L., 16, 170.
- Gregson, M. L. (2016). Less is NOT More: The Need to Regulate Apple Pay.NC Banking Inst., 20, 311.
- Kim, Y., Park, Y. J., Choi, J., & Yeon, J. (2015). An Empirical Study on the Adoption of “Fintech” Service: Focused on Mobile Payment Services.
- Reyns, B. W. (2013). Online routines and identity theft victimization further expanding routine activity theory beyond direct-contact offenses. Journal of Research in Crime and Delinquency, 50(2), 216-238.
- Sullivan, R. J. (2014). Controlling security risk and fraud in payment systems. Economic Review-Federal Reserve Bank of Kansas City, 5.
- Wagner, D., & Disparte, D. (2016). Cyber Risk. In Global Risk Agility and Decision Making (pp. 199-220). Palgrave Macmillan UK