General security

An Overview of the Mobile Wallet and Apple Pay

Introduction

There is no doubt that today, the Smartphone is fast becoming an extension of both our personal and professional lives. For example, not only can we use it to communicate instantly with our family and friends, but we can now pretty much even do all our basic office tasks on our Smartphone.

There is also yet another realm of life in which the Smartphone is impacting society. This is in the way that we shop for goods and services. From our Smartphone, we can visit an e-commerce store, select the products we want, enter our credit card information, and choose the shipment method. Because of this, there is hardly even a need to visit the traditional brick and mortar store.

However, there is now even a newer method called the "Mobile Wallet" which is designed to make our online shopping experience even quicker and more efficient, with fewer clicks on the keypad and not having to enter our credit card number every time. This article reviews in detail what the Mobile Wallet is all about.

What Is the Mobile Wallet?

When it comes to making payments in Cyberspace, there are many terms that are associated with it. The most commonly used ones are Virtual Payments, Virtual Currencies, Digital Wallets, Mobile Payments, etc. However, for the sake of this and future articles, the term "Mobile Wallet" will be used (as implied by the title).

However, it all comes down this common denominator: When making a payment, there is often at least one, perhaps even two more intermediaries involved from when our financial information is first collected and then ultimately processed to make the payment.

A Mobile Wallet can be precisely defined as follows:

"A mobile wallet is a way to carry your credit card or debit card information in a digital form on your mobile device. Instead of using your physical plastic card to make purchases, you can pay with your smartphone, tablet, or smartwatch." (SOURCE: 1).

So, rather than paying with your credit card directly (which poses its own set of Security vulnerabilities), you can use your iPhone or Samsung/Windows Mobile device to make a payment. As it can be seen from the definition, it is your Smartphone which contains and stores your financial information.

So, once you are ready to make payment, you just merely tap your Smartphone onto the Point of Sale Terminal. However, to transmit your financial information over to it, a wireless Network Protocol known as "Near Field Communications" (also known as "NFC") is used.

For example, there is a miniature NFC antenna in the Smartphone, as well as an NFC antenna at the terminal. These two allow for a complete line of communication to occur

However, to successfully use a Mobile Wallet, there are several steps you must initiate first, which are as follows:

1. Download the appropriate mobile app:

   To store any of your financial onto your Smartphone, you first must download the appropriate app. In this regard, it would be the "Apple Pay" for the iPhone or the iPad; and for the Samsung/Windows Mobile devices, it would be the "Google Wallet." Thus, as it was stated before, a fundamental difference in the Mobile Wallet is that an intermediary is involved – in this case, it is the mobile app because it stores not only your credit card information, but it also makes it easy to retrieve by the NFC antennae.

2. Enter your credit card info into the mobile app:

   This is probably one of the most significant Security concerns for the end user, and rightfully so. In other words, the mobile app will ask you to confirm your identity. For the iPhone/iPad, Fingerprint Recognition is used, and this process is known as the "Touch ID." For the Samsung/Windows Mobile devices, the traditional password or passcode still used, and thus, is still considered to be a very weak form of Security when compared to that of Fingerprint Recognition. Once your identity has indeed been confirmed, then the configuration process of the Mobile Payment will continue. Very often, today's Smartphones will even consist of a specialized Smart Card which will also store all Mobile Payment information and data. This is considered to be a separate, isolated memory which is kept apart from the memory banks which stores other mobile apps, photos, videos, and contacts.

3. Pay for goods and/or services with your Smartphone:

   Once the above two steps have been accomplished, you can now make payments with your Mobile Wallet. However, it is important to note that the vendor from whom you intend to make a purchase from must also support a Mobile Wallet scheme. It simply cannot be just used anywhere.

These sequence of steps is illustrated as follows:

The most widely used Mobile Wallet is that of Apple Pay and will be reviewed in the next section.

An Overview of Apple Pay

Apple Pay is essentially the mobile app which can be downloaded and installed on your iPhone or even your iPad. Because it is deemed to have more robust Security than other dominant Mobile Wallets (such as that of Google Wallet), Apple Pay is supported by the major banks worldwide. These include the likes of JP Morgan Chase, Bank of America Corporation, and Citigroup, Inc.

After the end user has downloaded the mobile app and has entered in their financial information (such as that of credit card number or bank account), he or she can now start to make payments with their iPhone or iPad.

To initiate the actual process, Apple has established what is known as a "Two Factor," or "2FA" Authentication approach.

First, the individual must enter their Passcode. Once this has been accepted, the end user is then prompted to have their identity further confirmed using Touch ID, which is the Fingerprint Recognition embedded into the iPhone or the iPad. An example of this illustrated below:

It should be noted, that the only time that your credit card or banking information is ever stored in Apple Pay is when you first enter it into the mobile app. Also, you can take a picture of your credit card as well, and upload that into Apple Pay as well.

If this method is utilized, this image is fully encrypted and sent over to the servers at Apple for decryption. From here, the credit card information is then checked for the authenticity and the issuer of the credit card.

After this process has been completed, Apple then re-encrypts the credit card information, with a Public Key/Private Key combination of which only the credit card issuer or network can unlock.

Other encrypted information and data are sent as well, such as your iTunes transaction history. Ultimately, the credit card issuer then either allow or deny the specific credit card to be used in Apple Pay.

If the credit card has been approved to be used in Apple Pay, a "Device Account Number" (also known as a "DAN"). This is a Cryptographic Token which is assigned to every iPhone or iPad which makes use of Apple Pay.

This is then used to generate dynamic Security Codes which will become unique to each transaction that the end user engages in. In a way, this is very similar to the transactions with credit cards that are Security chip enabled.

In more technical terms, a Cryptogram is generated in the Near Field Communications wireless stream between the antennae which is embedded in the iPhone and the reader at the Point of Sale Terminal. This Cryptogram is then ultimately transmitted back the credit card issuer for the approval or denial of the Apple Pay transaction. The Cryptogram can also be viewed as a one-time digital signature which verifies the actual validity of the token.

This specialized type of transaction offers some key advantages over the other Mobile Wallets, and are as follows:

1. The token (these are also 16-digit numbers, but hold no intrinsic value to it – they are not mathematically generated, so the token itself cannot be reverse engineered into the original credit card number) becomes a proxy for the actual credit card number and is also generated for each specific iPhone/iPad (keep in mind, that this process is in addition to the tokens that are generated for every transaction that takes place by the end user). The use of tokens for Apple Pay helps to eliminate any so-called Man in The Middle (MITM) Attacks, and credit card skimming threats.
2. Making sure that the highest levels of Security are incorporated into the token is ultimately up to the credit card issuer-this not the responsibility of Apple or even the end user. Since credit card companies are already under the "magnifying glass" for their Security practices in general, there is a very high probability that the best layers of Security are already being afforded to the tokens and the process that is used to create them. Additionally, a dynamic CCV value is assigned to the token as an additional layer of Security. Finally, a feature known as the "Secure Enclave Processor" has been implemented. With this, the main processor in the iPhone or the iPad from gaining any access to sensitive information and data. It is also used to support the Touch ID Fingerprint Recognition System, and even has its OS known as "SEPOS."
3. The tokens are never stored on the iOS Operating System, the Apple Pay Servers, and are not even backed up on the iCloud. Because of this, your credit card issuer can also disable the magnetic strip functionality on your credit card, just as an extra precaution in case your credit card number does indeed get stolen or hijacked. The downside to this is that you will have to contact your credit card issuer in case you want to use your credit card outside of Apple Pay.
4. The use of tokens almost eliminates the types and kinds of Cyber-attacks that occur on using the credit card magnetic strip in traditional transactions. These include Man in the Middle Attacks and Credit Card Skimming.

Conclusions

In summary, this article has reviewed the concepts behind what a Mobile Wallet is, with a particular emphasis given to Apple Pay. It is essential to keep in mind that as the world is turning more towards a digital means of conducting business transactions, the use of Mobile Wallets is expected to rise as well.

The two dominant Mobile Wallet payment structures are that of Google Wallet and Apple Pay. It is the latter which is used the most widely, given the considerable market saturation of both the iPad and the iPhone. As it was reviewed, the setup is a speedy process, and it is also straightforward to use as well.

The most significant advantage of using a Mobile Wallet is that of convenience. Payments can be made and processed in just a matter of seconds, versus the minutes it could take when your credit card is used in the traditional means.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Security experts have noted that Apple has done an excellent job in creating a very secure and robust Apple Pay environment. However, despite this, it too is prone to its Security vulnerabilities, just like anything else. This will be examined in the next article.

Resources

1. https://www.wellsfargo.com/mobile-payments/mobile-wallet-basics/
2. https://www.quora.com/How-do-digital-wallets-work
3. https://www.firstdata.com/downloads/thought-leadership/MobileWalletWP.pdf
4. https://www.capitalone.com/credit-cards/blog/what-is-mobile-wallet/
5. https://arstechnica.com/gadgets/2014/10/how-mobile-payments-really-work/
6. https://www.engadget.com/2014/10/02/apple-pay-an-in-depth-look-at-whats-behind-the-secure-payment/
7. https://developer.apple.com/apple-pay/Getting-Started-with-Apple-Pay.pdf
8. http://apps.cybersource.com/library/documentation/dev_guides/apple_payments/SO_API/Apple_Pay_SO_API.pdf
9. https://www.ncr.com/sites/default/files/white_papers/15FIN3279A_Contactless_EMV_Apple_Pay_wp.pdf
10. https://www.firstdata.com/downloads/marketing-fs/First-Data-Integrated-Tokenization-Services-Webinar.pdf
11. https://www.neowin.net/news/apple-keeps-your-conversations-with-siri-for-two-years