Sept. 10, 2014 8:19 p.m. ET
Last week, Apple Inc. AAPL +0.43% Apple Inc. U.S.: Nasdaq $101.43 +0.43 +0.43% Sept. 11, 2014 4:00 pm Volume (Delayed 15m) : 61.44M AFTER HOURS $101.32 -0.11 -0.11% Sept. 11, 2014 7:59 pm Volume (Delayed 15m) : 957,241 P/E Ratio 16.28 Market Cap $604.77 Billion Dividend Yield 1.85% Rev. per Employee $2,214,380 09/11/14 J.P. Morgan's Dimon Finishes S... 09/11/14 Staying Connected in the Great... 09/11/14 More CIOs Supporting Tablets i... More quote details and news » disclosed that hackers found ways into its digital vaults to steal and post naked pictures of celebrities. On Tuesday, Apple said consumers should use its new iPhones as their digital wallets.
Apple's pitch for consumers to import sensitive financial data into its latest phones raises a host of security questions at a time when it and other companies have given consumers plenty of reason to worry about their personal information. This week, for instance, Home Depot Inc. HD -0.03% Home Depot Inc. U.S.: NYSE $89.22 -0.03 -0.03% Sept. 11, 2014 4:00 pm Volume (Delayed 15m) : 4.50M AFTER HOURS $89.38 +0.16 +0.18% Sept. 11, 2014 6:54 pm Volume (Delayed 15m) : 39,620 P/E Ratio 21.14 Market Cap $120.12 Billion Dividend Yield 2.11% Rev. per Employee $220,997 09/11/14 The Morning Download: Bidding ... 09/10/14 Why's Apple's Tap-to-Pay Beats... 09/10/14 Tom Kean and Lee Hamilton: A N... More quote details and news » confirmed it suffered a potentially massive breach of customer payment cards that began as early as April.
But corporate security experts, credit card companies and privacy hawks said Apple's plan for consumers to tap their phones or smartwatches against a reader, instead of swiping a plastic card, appears to be more secure than traditional payments systems.
Based on the available information, Apple's payment system appears more locked down than Apple's iCloud storage service, which hackers infiltrated to steal celebrities' pictures. That system was protected by a username, a password and biographical security questions, which the hackers appeared to have bypassed.
"It's the most secure combination of technology that we've ever deployed," said James Anderson, group head of mobile product development at credit card processor MasterCard Inc., MA -1.34% MasterCard Inc. Cl A U.S.: NYSE $75.62 -1.03 -1.34% Sept. 11, 2014 4:00 pm Volume (Delayed 15m) : 4.65M AFTER HOURS $75.80 +0.18 +0.24% Sept. 11, 2014 7:03 pm Volume (Delayed 15m) : 24,261 P/E Ratio 27.20 Market Cap $88.76 Billion Dividend Yield 0.58% Rev. per Employee $1,084,510 09/11/14 AM Roundup: Pistorius Cleared ... 09/11/14 MasterCard Loses EU Court Case... 09/09/14 Can Apple Solve Riddle of Mobi... More quote details and news » which has worked with Apple on the payment technology.
Christopher Soghoian, a technologist at the American Civil Liberties Union who last week criticized Apple's iCloud security, said the new technology has to be compared against other real-world options.
"Your old fashioned credit card can be cloned by a waiter. Merchants routinely have credit card numbers stolen," Mr. Soghoian said. "There's not going to be anyone who says it's less secure than the old-fashioned swipe cards."
Apple Pay, according to people involved in its development, relies on a mix of technology and math to protect payment credentials.
After users enter their payment-card information on an iPhone, the device creates a unique 16-digit token. Each card gets its own token, specific to that device, Mr. Anderson said.
The token is sent to the payment processor through encrypted communication. The card company then links the token to the consumer's account.
The phone, meantime, stores this token in a special chip that Apple has said is walled off from the rest of the device and is more secure. Apple uses a similar process for storing data for its fingerprint reader. These data, Apple has said, aren't stored on its servers.
When a consumer wants to buy cheese at a Whole Foods WFM -0.31% Whole Foods Market Inc. U.S.: Nasdaq $38.51 -0.12 -0.31% Sept. 11, 2014 4:00 pm Volume (Delayed 15m) : 4.00M AFTER HOURS $38.53 +0.02 +0.05% Sept. 11, 2014 7:40 pm Volume (Delayed 15m) : 31,884 P/E Ratio 25.01 Market Cap $13.95 Billion Dividend Yield 1.25% Rev. per Employee $177,474 09/10/14 Why's Apple's Tap-to-Pay Beats... 09/10/14 Will Stores Warm Up to Apple P... 09/09/14 Corporate Watch: News Digest More quote details and news » Market Inc. store, the device would use a short-range radio system, called near-field communication, or NFC, to send the 16-digit token to the card reader. This token would be paired with a one-time string of random numbers created by encryption keys stored on the iPhone.
This random string of numbers, called a cryptogram, could only be good for a certain amount of time and at a certain location. It can't be reused. The 16-digit token, meantime, also can't buy anything on its own, MasterCard's Mr. Anderson said.
The merchant's card reader checks the token against the token stored by the payment company. If everything checks, the purchase is approved.
The process is more secure than traditional payment cards, which often use consumers' actual account numbers, Mr. Anderson said. The main security vulnerability, the card issuer's servers, isn't a new issue.
"It's impossible to do transactions without data, and data is obviously a potential risk," Mr. Anderson said. "We are hypersensitive to that topic."
Certain NFC devices have been hacked at security conferences. But in an interview, the MasterCard executive said any stolen data wouldn't be of much use with Apple's payment system.
"Let's say somebody is listening and is able to pick up the data," Mr. Anderson said. "Essentially you get a useless 16-digit number. I could email it to my friend and they could email it back to me, but there's nothing they could do with it."
It remains unclear how Apple would use the system with its new smartwatch, which goes on sale early next year. "We've asked Apple that very same question," Mr. Anderson said. "They have an idea but they don't want to share it yet."
Apple's watch has numerous other biometric sensors to measure health statistics and is paired with an iPhone, which has a fingerprint sensor. Apple executives said the company has a plan for how to enable payments on the watch, which won't include a fingerprint sensor, but declined to elaborate.
The biggest security challenge Apple may face is consumers' willingness to give the company so much control over personal data, people briefed on the project said.
Apple lost some of its security credibility last week following the celebrity picture theft, said Avivah Litan, a security analyst at researcher Gartner Inc. IT +0.37% Gartner Inc. U.S.: NYSE $76.63 +0.28 +0.37% Sept. 11, 2014 4:04 pm Volume (Delayed 15m) : 358,645 AFTER HOURS $76.63 0.00 % Sept. 11, 2014 4:31 pm Volume (Delayed 15m) : 1,361 P/E Ratio 36.84 Market Cap $6.79 Billion Dividend Yield N/A Rev. per Employee $316,481 09/10/14 Why's Apple's Tap-to-Pay Beats... 09/04/14 Using Salesforce.com Platform,... 07/23/14 Data Storage Recast By Softwar... More quote details and news » who works with payment card companies and retailers. Ms. Litan however said she is optimistic about the security of Apple Pay.
"They totally screwed that up. They're not screwing this up," said Ms. Litan. "I'm not saying it's not hackable, but this is a lot more secure than only password protected data in the cloud."
—Daisuke Wakabayashi contributed to this article.
Write to Danny Yadron at danny.yadron@wsj.com
via apple - Google News http://ift.tt/1tEWFTX
Posts
0 comments:
Post a Comment