Why Apple Pay May Not Be as Secure as You Think
As we inch closer and closer to a wireless, cordless, and cashless society, you may have noticed the sudden influx of commercials from tech companies boasting “an easier way to pay,” or emboldening you to “pay your way.” Of course, Apple is not only among them, but in typical Apple fashion, leading the charge. They've heavily pushed their Apple Pay system in the past year, introducing hundreds of thousands of locations where you can simply swipe your iPhone or Apple Watch to pay for stuff -- from clothes to prescriptions to in-flight bloody marys. And there must be something to it, since a whopping 42% of people with compatible devices have tried it out.
But just how safe is it to link your credit card to your phone? We asked some security experts to weigh in on the risks.
The concept is simple. You link a credit or debit card to your iPhone or Apple Watch and wave your device in front of a special processor at participating retailers -- and there are a lot, from Bloomingdales to Whole Foods, with more on the way. The purchase amount is deducted from your card via a special embedded chip. And in theory, it’s hugely convenient, especially for the smartphone addicts among us who’d prefer to ditch the leather Costanza wallet in our back pockets.
But should you feel 100% safe and secure bounding around with a phone that contains all the info a scammer needs to empty your bank account? Apple says absolutely. And in their defense, the system is designed with a series of safeguards.
For one, rather than pass your account information directly to McDonald's or Macy’s from your phone, each transaction is parlayed via a different proxy account, so that your information is never collected or even seen by the merchant -- protecting you from the sort of nightmarish mass-hacking incidents that've hit Target, TJ Maxx, Home Depot and others in recent years.
Apple also insists that Pay is more secure than using a physical card. That's because every payment requires you to verify your identity via biometric sensors (your iPhone's Touch ID, or the heart rate monitor on your Apple Watch), which should prevent any random schmo who's stolen your phone from going on a swipe and spend spree.
But that doesn’t stop a hacker who’s already ganked your credit card info from using it to create an Apple Pay account on their own device. In fact, that exact scenario poses what is probably the biggest fraud risk, according to the fraud prevention team at the digital security firm Easy Solutions: "The primary concern isn’t the Apple technology itself, but rather the ways in which Apple Pay and banks are verifying payment and authenticating users. For example, an attacker can easily register their phone with another user’s credentials, since TouchID serves only as a local validation of the fingerprint.”
In short, anyone who scores your credit card info can register their device with it, pose as you to swindle your bank into believing its legit, and go buckwild at Aeropostale.
But since swiping a stranger's info is increasingly simple these days, and sophisticated hackers will always find new ways to steal your stuff, there's no reason to believe Apple Pay is making you any more or less vulnerable than usual... except that researchers at the mobile data management firm Wandera discovered it's remarkably easy for would-be hackers to co-opt the Apple Pay sign-up process over WiFi, and snag your credit card info even as you're entering it. The good news is the imposter sign-up pages they use to capture your keystrokes are fairly obvious to spot.
Your best line of defense is to be ultra-vigilante about keeping tabs on your purchase history. And meanwhile, Apple has lit a fire under banks to amp up their verification efforts to double and triple-check that whoever's linking their card is the true account holder.
The bottom line is this: neither plastic cards nor Apple Pay are secure 100% of the time. Of course, if that's what you're looking for, there's always the old fashioned way...
Sign up here for our daily Thrillist email, and get your fix of the best in food/drink/fun.
Joe McGauley is a senior writer for Thrillist. He accepts Visa, Mastercard, Amex, and literally every other form of payment.