The world turned up to Apple’s launch event this week for news of the new iPhone 6, but CEO Tim Cook ended up showing them something that could turn out to be more important than another smartphone. “Payments are broken,” he said announcing the broad details of Apple Pay, the firm’s entry into the world of contactless payments.
The scope of this ‘broken’ market is vast, the complexities considerable if surmountable, the potential for profits from a billion consumers buying things – Apple will get its cut of every transaction – in theory pretty sizable over time. Cleverly, the company said it wouldn’t levy these fees from the customers or merchants (who might pass that on to consumers) but from banks. We still don’t know how much this will be which suggests that it will be modest and depend on scale to make money. We don’t even know whether the banks are happy about this.
That’s a bit of a problem from the off because Apple Pay will only work with the iPhone 6, iPhone 6 Plus or its new Watch wearable computer, so the market will start small. Plenty of people will eventually buy these devices but that will still be measured in tens of millions rather than hundreds of millions, and that’s before you factor in competition from rivals such as Google’s well-engineered but little-used Wallet and something called Softcard (formerly ISIS – no, not that one) from a consortium of large US carriers.
The fee structure remains an issue. Google has struggled and it offers Wallet free of charge for all parties in the chain (merchants still pay credit card processing), making money back by pushing ads to users. Apple clearly thinks the power of its platform means that asking for money from banks will wash on the basis that Apple Pay will boost transaction volumes and that will be good for everyone.
Assuming the business engineering can be made to work, there is still the tricky issue of physical infrastructure and this is where any firm pushing smartphones as the vanguard of mobile payments have some work on their hands. In the US, card authentication is based on a simple magnetic stripe rather than the far more secure Chip and PIN EMV (Europay, Mastercard, Visa) system.
Additionally, there is the issue of merchants having to install the NFC (Near Field Communication) readers that make any contactless payments systems possible in the first place. In the US these have barely 2 percent penetration. On the plus side, Apple has fewer banks and payment systems to deal with because, unlike Europe, its banking sector is more concentrated.
As expected, Apple will launch Apple Pay in the US first but when the UK finally gets to try out the system in 2015 (the firm won’t say when precisely) it could turn out to be the perfect test bed for the concept. In common with the US, the UK is dominated by a small number of banks but NFC readers are far more common than either the US or Europe.
That’s game on as long as Apple can convince banks to absorb its unspecified fee with the hope of getting their money back through the greater volume of payments. Card providers, which have a lot of gain form Apple Pay, are believed to be onside.
This brings us brings us neatly to security and the issue of whether contactless mobile payments make life easier or more difficult for the criminals who will look for a way to beat the system. The short answer in case of the US is that almost any system couldn’t fail to be more secure than what is on offer today. Magnetic stripe credit cards can be used in many shops with no authentication other than a signature, an utterly hopeless design EMV was invented to improve.
US retailers have also been struck from within by a scandalous number of data breaches that have sneaked malware on to the POS system being used by customers, which beats almost any technology where the magnetic card details can be stolen in the clear.
Apple Pay’s EMV tokenisation feature should mitigate this entirely. Instead of storing and transferring a user’s credit card number every time a transaction is made, an account number is generated for each device and stored inside the iPhone 6’s ‘secure element’ chip. It is this unique identifier that is passed through the NFC terminal and hackers gaining access to it have a useless piece of data. Merchants never see the credit card number from which the token was generated.
The trade-off is that turning the device into a payment token is that the device itself becomes a target either through theft or through a weakness in one of the apps running on it, which will include those from third-party developers. It is almost impossible to imagine there won’t be some weaknesses in this layer of software.
To stop the phones turning into walking wallets, users will also have to authenticate themselves using a fingerprint system called Touch ID built into the iPhone 6. Although an established technology some have derided as an insecure gimmick (weaknesses have already been demonstrated), this is actually quite pragmatic solution because it avoids merchants having to buy two-factor authentication. It makes life easier than rivals systems which depend on entering PINS, sometimes on the phone and the terminal, although PINs will also be a fallback for Apple Pay.
“There is no way for consumers to lose money,” points out Tobias Schreyer, co-founder and chief commercial officer of B2B services firm, the PPRO Group.
He points out that up to the fraud guarantee limit of £20 ($25), users are already able to make NFC payments without authentication so embedding the credit card inside the iPhone is really more of a convenience. The effect of Apple Pay is simply that more people will probably start using it because they already have credit cards inside their iTunes accounts.
“My view is that Google Wallet is not much worse than Apple Pay,” says Schreyer. “They are just not as good at marketing,” he says. “As Apple is starting the process in the US market, this gives the UK the chance to prepare. Retailers should anticipate that consumer uptake will be fast and will need to be ready.
Others have questioned the security of the process for adding credit cards to the Apple Pay Passbook, which can come either from a user’s iTunes account or be added by photographing a card. To stop users simply photographing stolen cards, this data is verified through the user’s bank. It’s not clear what happens if the data is genuine but the card has been stolen without the user having realised. In principle, that information loaded on to a phone could be used for transactions up to the £20 limit without the need for authentication (it is likely that authentication is required the first time a card is registered – we await full details).
In the end, flaws and all the Apple Pay system is probably as secure if not more so than any other EMV payment system made through terminals, but perhaps we’re in danger of missing the point. Just as Apple users have become targets through their iCloud accounts, so the success of Apple Pay will turn that system into a particularly big target.
That means more social engineering to gain access to iTunes for one, even if the credit card data is secured within that store.
“Many Apple customers use a Windows based machine while working with their devices and accounts, which can leave them open to attack, even if Apple’s technology is secured, the password can be leaked if a user’s Windows machine is compromised,” points out Dmitry Bestuzhev, head of global research for Kaspersky Lab.
“It’s important to note that any system is potentially vulnerable, and this usually happens when the value is high and effort needed to hack is low.
So what hackers will go after is the whole ecosystem not simply Apple Pay. The potential vulnerabilities are legion. The POS terminals must be secured, as must the NFC exchange, the two-factor authentication, the device and its apps and the online accounts that tether the user. The biggest weakness in all this is, of course, the user. Apple has engineered its new technology system to resist attacks but can it say the same for its users?