Apple Pay is poised to turn how we pay for goods at a retail store on its head. The new Apple Pay system lets you make purchases with the cards in your iTunes Store account. When you bring your iPhone 6 near an NFC-equipped payment terminal, you’ll see your cards in Passbook, and you can authorize a transaction with the Touch ID fingerprint reader. That’s it, you’re done, and none of your sensitive credit card information was ever shared directly with the merchant.
Near-field communication, or NFC, isn’t a new technology, and hackers have had plenty of time to develop hardware that sniffs out the signals as they’re wirelessly transmitted from your phone to a reader. While some security experts I spoke to insist that these known vulnerabilities could apply to Apple Pay transactions, they also admitted that Apple’s use of one-time-use tokens instead of your actual credit card information would render these hacks pretty toothless.
How spoofing would work
Spoofing an NFC transaction involves creating a dummy reader—say, another smart card or a smartphone—that sniffs out a close-by signal and steals the data during a transaction.
Hector Hoyos, the CEO of Hoyos Labs, a digital infrastructure security company that makes a biometric device for ATMs, says there is a known hack for NFC that uses off-the-shelf radio receivers anyone can buy at Radio Shack. Using this home-built reader, a hacker standing near the Apple Pay terminal could intercept the signal.
“A radio sniffer could work if someone was standing right behind you from a foot or two away,” says Hoyos. He even suggested the spoof is one of the reasons why Google Wallet, which also relies on NFC, never went mainstream—although there isn’t known video evidence that Google Wallet has been hacked this way.
Other methods require physical access. Satnam Narang, the Security Response Manager at the Symantec Security Technology and Response (S.T.A.R.) division, says there is a known hack related to NFC transactions, but it requires that the hacker install a piece of malicious code on the phone first.
Narang says one known vulnerability called a relay attack uses smartcards, which are basically credit cards that store data and use an NFC chip. A hacker creates a “proxy” card that can intercept the signal from a “mole” (the real card). However, even then, he says there has to be a physical tap with the fraudulent card.
Another security analyst said NFC spoofing is possible. Jeff Williams, CTO of Contrast Security, a Web application security provider, says that a widely available reader using the Arduino microcontroller can intercept NFC signals from a meter away or more. He says several exploits for NFC in smartphones have been found.
Tokens, not account numbers
Still, even if a hacker could snag your transaction data as it passes from your iPhone to the terminal, they’d get a single-use token with nothing to identify you by name. Connecting that to the credit cards stored securely by Apple might not be impossible, but the experts we spoke to agree that it’s a lot harder than just stealing some credit card numbers.
Narang points out that Apple Pay uses an account code that refers to a credit card number not stored on the phone, so the hacker would only obtain a useless account number. This “tokenization” is one of the strengths of the new Apple Pay system and intended to dissuade hackers.
Williams agrees that stolen Apple Pay data would likely be useless. “The use of one-time tokens instead of revealing actual credit card information has the potential to make these intercepted signals useless to attackers. The use of Apple’s fingerprint Touch ID technology adds another layer of authentication to the mix, potentially further frustrating attacks,” he says.
Hoyos is a little more uncertain. He claims that it’s possible for hackers to correlate spoofed account tokens to credit card data stored on Apple’s actual servers, and points to the recent breach of celebrity photos from iCloud backups as precedent. (But the two situations aren’t comparable, and Apple hasn’t had credit card accounts stolen before.) Hoyos even claims that it’s possible to purchase a mylar replication of a fingerprint, then use it with Touch ID to complete transactions—but of course that would require stealing the phone and getting a fingerprint, and the whole plan is foiled as soon as the person you stole the phone from deactivates it as an Apple Pay device using Find My iPhone.
Apple did not respond on the record to inquiries about Apple Pay security but did point to online documentation for Apple Pay that explains the tokenization process. Apple Pay launches Monday in the United States with the release of iOS 8.1.