Full Report
Mobile payments look set to be one of the defining technologies of 2015, as the launch of Apple Pay catalyses a boom in cardless payments - both from Apple’s own system, and rivals playing catch-up.
Analysis Summary
# Main Topic
The emergence and security implications of new mobile payment technologies, specifically catalyzed by the launch of Apple Pay in 2015, and its effect on the broader cardless payment landscape and transaction security.
## Key Points
- Apple Pay's launch is driving increased demand for rival mobile payment solutions like Google Wallet due to general excitement around the technology.
- Apple Pay fundamentally differs from rivals by *not* storing card details on the phone or on Apple's servers.
- The system utilizes "tokenization," replacing sensitive card numbers with a unique, bank-generated **Device Account Number (DAN)**.
- The DAN is stored exclusively on the **Secure Element** chip within the handset, isolated from the operating system, and is not backed up to iCloud.
- Card addition requires verification, often involving **two-factor authentication (2FA)** provided by the issuing bank.
- In-store payments require manual activation (selecting a card and authenticating via PIN or Touch ID) near the terminal.
- Only the DAN is transmitted during payment, specifically protecting against data breaches that rely on stealing magnetic stripe or primary card numbers (like those seen in the Target breach).
- In-app purchases using Apple Pay receive an additional layer of security via merchant-specific encryption applied to the transmitted DAN.
- Apple has stated that they do not harvest purchase information for advertising, monetizing through fees levied on partners instead.
## Threat Actors
- **No specific threat actors or APT groups** were identified in relation to the functionality or deployment of Apple Pay itself.
- The discussion implicitly references threat actors who utilize **POS malware** to conduct large-scale data breaches (as exemplified by the mention of the Target breach), which Apple Pay is designed to mitigate.
## TTPs
- **Tokenization:** Replacing primary account numbers (PANs) with device-specific tokens (DANs) for transaction processing.
- **Secure Element Storage:** Using a hardware-based, protected chip for storing cryptographic keys and account numbers, isolated from the main OS environment.
- **Manual User Authentication:** Requiring biometric (Touch ID) or PIN verification to authorize a transaction/tap.
- **Data Exfiltration Prevention:** The DAN is device-specific and cannot be lifted from the device for use as a traditional magnetic stripe data.
- **Encryption in Transit:** Applying secondary, merchant-specific encryption when using Apple Pay within third-party applications.
## Affected Systems
- **Hardware:** iPhone 6, iPhone 6 Plus, new iPads.
- **Software/Services:** Apple Passbook app, Secure Element chip on the device.
- **Financial Systems:** Credit/Debit cards linked to participating US banks (e.g., Bank of America, Chase, Wells Fargo, Amex).
- **Physical Infrastructure:** NFC-enabled payment terminals in stores.
## Mitigations
- **Use Tokenization:** Rely on payment systems that replace PANs with device-specific tokens during transactions.
- **Hardware Isolation:** Ensure sensitive data (like tokens) resides in a hardware-isolated component (Secure Element).
- **Require Multi-Factor Authentication:** Implement 2FA during initial card enrollment into the mobile wallet.
- **Require In-Person Authorization:** Mandate user interaction (PIN/Biometrics) to initiate contactless payment authorization.
- **Avoid Storing PANs:** Do not store primary card details on servers or end-user devices for transaction processing.
## Conclusion
Apple Pay represents a significant security advancement over traditional card reading and older mobile wallet methods by heavily emphasizing tokenization and hardware separation (Secure Element). This architecture is specifically designed to thwart the vast data theft tactics associated with POS malware and data breaches, as the stolen tokens are highly limited in utility compared to full card numbers. Organizations and users adopting this technology benefit from reduced exposure to traditional card skimming and data breach vectors.