In their quarterly report this afternoon, Apple is expected to post record revenues and profits. Many analysts are curious how Apple Pay will be assessed after being in operation for a little over three months. While reviews have generally been positive, there have been a couple of hiccups with respect to security if you believe some tech experts.
First, Chaos Computer Club, a large group of European hackers, said in December they were able replicate fingerprints using only photographs showing a person’s fingers. Hacker Jan “Starbug” Krissler said he had copied the thumbprint of German Defense Minister Ursula von der Leyen. He used a widely available program called VeriFinger which used photos of the Defense Minister at a news conference to create the fake image of her finger. Theoretically, this could be used to hack TouchID and use Apple Pay as well as other systems on the iPhone. Other experts consulted about the fingerprint photos say conditions would have to perfect for that type of hack to work, and even then, the chances of success would be small. It is highly doubtful a petty thief would have the expertise or time to pull off such a hack.
The second problem with Apple Pay security came from The Drop Labs Blog, a blog dedicated to mobile payments. They pointed out a couple of flaws they found with Apple Pay. One was the lack of a physical card. Currently, when hackers buy a stolen credit card number, they can use that number online. But if they want to use the number in the brick-and-mortar world, they have to make a physical card. Not particularly hard, but Apple Pay made it 100 times easier to use it in the real world. Simply transfer the card number to the iPhone and use Apple Pay. No physical credit card is needed because your phone is your (stolen) credit card.
That brings us to another larger problem The Drop Labs Blog pointed out. Banks aren’t properly verifying cards when they are entered into Apple Pay. If they were, then crooks would not be able to put stolen card numbers into Apple Pay because they would have to be properly verified. Chalk it up to the newness of the system, but banks are behind on their end of making Apple Pay secure.
The TouchID hack is a theoretical problem without any practical examples of it being used. The fake numbers being used with Apple Pay are the fault of the banks and their lax security and verification methods.
The utter lack of any real news about any breaches with the Apple Pay system means it must be doing a lot of things right. Therefore, if we were to give Apple Pay an early grade for security, it has to be an A+.