AMITIAE - Monday 12 September 2014

Cassandra: Security Comment on Apple's Development of Multi-factor Authenticated Payment System

apple and chopsticks


By Graham K. Rogers


As usual when Apple releases a product or service, there has been some wild speculation concerning certain technical aspects, particularly of the new feature that will be available for US owners of the iPhone 6: Apple Pay.

Much (virtual) print has been wasted on the security aspects by many commentators who presume that, following a poorly-reported security problem for some users of iCloud the previous week, Apple's customer safety with Apple Pay is also suspect. Comments by Eddy Cue when the service was announced, and by Tim Cook in an interview with Charlie Rose, are dismissed (whatever they might have said) because of course - it might be argued - they are biased.

One thing that both referred to was the secure element that is available on the A8 processor. When the TouchID was introduced last year, the data was reported to be stored in a secure enclave on the A7. Derision, criticism and questions followed, but Apple satisfied most of its critics and thus far there have been no reports of security problems with this feature: especially thumbs surgically removed by criminal gangs as was theorised by some.

The structure of the new processor is commented on by Ryan Smith of Anand Tech who analyses technical information on the A8 released by Apple.

Apple Pay
Apple Pay - Image Courtesy of Apple

It is therefore also useful to read the independent opinion of a security expert who has examined the way the Apple Pay service has been built, particularly with regard to security. Paco Hope as reported on Help Net Security, is positive about the way - what he calls "the Second Factor" - the TouchID was rolled out first to be followed by the first factor: the payment application and API. He notes the relative strength of this system that depends on possession (phone, thumb/finger) rather than knowledge (password/passkey).

Hope is not totally convinced about the success of the system in terms of speed, citing the London Underground attempts at using NFC on a number of occasions. However, he is carefully focused on the differences between the approach of Apple ("a for-profit company looking to deliver value to customers who pay money for that value") and Google, who launch "a bunch of technology into the marketplace and it leaves the creation of business models to someone else."

More information and the full article is available at HelpNet Security

Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand where he is also Assistant Dean. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs. He is now continuing that in the Bangkok Post supplement, Life.



Made on Mac

For further information, e-mail to

information Tag information Tag

Back to eXtensions
Back to Home Page

All content copyright © G. K. Rogers 2014