Apple Pay went live yesterday. And while there has been much talk about how it's going to disrupt the payment system, and how easy it will be to use, security is once again being overlooked in the urgency for speed and convenience above all else.
First, there's the obvious concern about losing your phone. Americans lose their phones once every 3.5 seconds. Apple Pay overnight raises the value of a lost iPhone, creating greater incentive for theft. We view this concern as similar to the concern over losing your credit card, but with the added risk that the thief now also has access to your email address, and your method of two-factor authentication for many services, making it easier to not only commit simple fraud, but also to more completely impersonate the victim, for more sophisticated fraud. While you can 'find my phone' and shut it down, this is not always instantaneous.
Second, and probably the bigger concern, is that the authentication mechanisms for validating cards is unclear. Apple seemed to have focused on security payment mechanisms such as tokenization and fingerprint (which we believe are solid steps). But payment can only be as secure as the authentication, which starts with registering cards to an account, as well granting access to a particular account.
Apple has not yet disclosed how they will authenticate cards before allowing their use. Without the proper authentication mechanisms, Apple may have just made it far easier for criminals to counterfeit credit cards from black market. Now you don't need a physical card to make a purchase in person. You can simply take a picture of numbers superimposed (or photoshopped) on a card, and run with it.
And third, users add credit cards to their iPhones by taking pictures of them. As Jennifer Lawrence and others can attest to, Apple’s ability to securely store and transmit those photos remains to be answered. Depending on how they are being stored and transmitted, it would not be surprising to see malware developed around this mechanism.
False sense of security – likely less fraud initially
We predict that banks and financial institutions are likely to see less fraud initially, providing a false sense of security. This is because hackers need time to do their research on the system, to uncover vulnerabilities, and then to write code to exploit those vulnerabilities in the most undetectable way possible. There is learning curve for everybody - merchant, consumer and hacker. With such an attractive, potentially lucrative target at stake, it is only a matter of time before these systems are found to be vulnerable. The only question is, who will find the vulnerability first?
We recommend that both individuals and financial services firms continue to adopt a multilayered security strategy. For individuals, this means enabling as many security mechanisms as the vendor provides. For financial services firms, this includes continued monitoring of black-market and card-not-present transactions. We predict that banks will also start paying more attention to ‘device health’, as visibility into the status of a device, potentially malicious apps running on it, etc. is going to be more important going forward.
While we don’t see most consumers throwing away their wallets yet (only 1% of retailers support it today, and you can only leverage it on an iPhone 6), we do believe financial institutions should be thinking about steps to protect themselves and their customers from the new fraud schemes that are sure to emerge.