iTokens: Why it makes sense for Apple's rumored payment system to use tokenized transactions

Posted:
in iPhone edited May 2015
Apple is finally expected to announce its entry in the mobile payments arena alongside the "iPhone 6" at a media event on Tuesday in Cupertino, and rumors suggest that the new system will be based around tokenization for enhanced security. AppleInsider took a look at what that means for users.

Touch ID


The theft of payment card data has become a major problem in recent years. Back-of-house breaches at retail chains like Target -- and more recently, Home Depot -- have attracted headlines, but theft from insecure online storefronts and sophisticated "skimmers" on ATMs and point-of-sale terminals has also increased at an alarming rate.

News coverage of such thievery is often breathless, whipping a largely non-tech savvy population into a frenzy over the dangers of wireless technology that they don't understand. For proof, one needs to look no further than the booming cottage industry of wallets and purses and passport holders that act as portable Faraday cages, ostensibly to protect against the entirely overblown threat of "walk-by hacking."

The real problem comes from merchants and payment providers that transmit and store card data with inadequate encryption or weak security practices. In fairness, this is a difficult technological nut to crack for many small businesses and startups; that's why the payment industry is moving rapidly toward tokenization, in a bid to lower the number of weak links in the payment chain.

What is tokenization?

Broadly speaking, "tokenizing" means swapping out the actual card number for a different, representative number -- a token. The token is generated by running the account number through a cryptographic function that can only be reversed with a key held by the token issuer, usually a bank or payment processor.

In a typical retail transaction, it works like this: The customer swipes their card at a terminal?-- say, Jeff's Widgets. The card information is encrypted and sent over the wire to the bank, which decrypts it, authorizes the transaction, and generates a token.
Without the decryption key, payment tokens are worthless to thieves.
The bank then sends the authorization result and the token back to Jeff's Widgets. Jeff can safely hold on to the token along with the transaction record; without the bank's encryption key, there's no way for a thief to reverse the token and discover the real card number, which is stored securely in the bank's token vault.

Without the account number, thieves can't create duplicate cards or make purchases online. That's why Visa, MasterCard, and American Express proposed a global tokenization standard last year, and Visa is set to roll out its own tokenization service this month.

Visa, MasterCard, and American Express should be familiar names to Apple watchers -- the heavyweight financial firms are all rumored to be on board with Apple's payment plans.

So what about Apple?

Apple has some experience with tokenization already when it comes to sensitive data: this is essentially how Touch ID is implemented on the iPhone 5s, though the "token vault" is on the device itself in the form of the A7 chip's Secure Enclave.

When it comes to payments, though, Apple is expected to employ a slightly different method of tokenization. According to Bank Innovation, rather than issuing a single immutable token, the rumored wireless payment system will generate unique one-time-use tokens for each transaction.
An Apple-assigned patent covering tokenization, filed in 2009
An Apple-assigned patent covering tokenization, filed in 2009

This means that even if a malicious actor were able to intercept the wireless transmission containing the token, it would be useless --?the token wouldn't be accepted for any future payments. That's important for a number of reasons, not the least of which is that it greatly simplifies any argument Apple will need to make for the security of its new payment system.

Apple has nearly 1 billion credit cards in iTunes, most belonging to relatively high-income consumers. iTunes's security has rarely come into question, but it's not clear how far that goodwill would extend to a mobile payment solution; an easy-to-understand implementation of single-use tokens that leave virtually no room for thieves to operate would help a great deal.

At the end of the day, the widespread adoption of wireless mobile payments will come down to two things: merchant support and consumer trust. Apple has shown that they've got the clout to handle the former; if they can also secure the latter, they might soon have another "world's biggest" plaque to hang on the walls at Infinite Loop.
«13456

Comments

  • Reply 1 of 111
    Brilliant!
  • Reply 2 of 111
    shogunshogun Posts: 362member
    The way you describe this it sounds like hackers just need to get the encryption key and the candy store's open. Also, if the person slides their card and the real. Umber is sent to the bank, then what's to preserve the security of the number?

    Either I'm understanding wrong, or you're explaining wrong, or else it doesn't seem that great.
  • Reply 3 of 111

    This is what I said all along. While people are arguing about which methods to transfer data are safer (NFC vs BT vs WiFI vs LTE and claiming NFC is safer due to the short distance) I stated that security lies not in the method of data transfer but not sending personal/confidential data in the first place, and replacing that data with some type of ID or key (token if you like) that is useless to thieves even if they did capture it.

  • Reply 4 of 111
    But will it be fast? One of the drawbacks of chip-based credit and debit cards is it actually slowed down the payment process, rather than speeding it up.
  • Reply 5 of 111
    pmzpmz Posts: 3,433member
    Quote:

    Originally Posted by coolfactor View Post



    But will it be fast? One of the drawbacks of chip-based credit and debit cards is it actually slowed down the payment process, rather than speeding it up.



    I don't think it is about speed. It is about convenience & security.

     

    Arguably a token based purchase made from an iPhone is potentially a lot more secure than a plastic card with a number and magnetic strip.

     

    And a wave of the phone is (supposedly) more convenient than taking your wallet out, your card out, swiping (if the reader/strip are both optimal) then pinning in a code or signing a screen. Even if its hold up your phone, wait for prompt, Touch ID, done.

  • Reply 6 of 111
    solipsismxsolipsismx Posts: 19,566member
    This is what I said all along. While people are arguing about which methods to transfer data are safer (NFC vs BT vs WiFI vs LTE and claiming NFC is safer due to the short distance) I stated that security lies not in the method of data transfer but not sending personal/confidential data in the first place, and replacing that data with some type of ID or key (token if you like) that is useless to thieves even if they did capture it.

    No one saying that NFC is inherently safer than a long-range transmission protocol was saying that tokens were to not be used. You use several methods of various security measures to ensure the safest possible transaction. I've talked about tokens and hashes on the secure enclave on multiple occasions whilst also saying that NFC is a safer solution to do its inherent design. Whether Apple uses any of these measures is another issue altogether, even though I think they will, pretty much anything is better than a physical card with your name, number and expiration printed on it.
  • Reply 7 of 111
    solipsismxsolipsismx Posts: 19,566member
    coolfactor wrote: »
    But will it be fast? One of the drawbacks of chip-based credit and debit cards is it actually slowed down the payment process, rather than speeding it up.

    I do know from using Passbook that it can be slowly at times because the iPhone does a whole lot more, but I assume there will be a way to quickly bring up NFC. Perhaps by doing a double-tap of the Home Button hitting an NFC symbol on the screen and then doing Touch ID, or is that too cumbersome to initiate?
  • Reply 8 of 111
    Quote:

    Originally Posted by SolipsismX View Post





    I do know from using Passbook that it can be slowly at times because the iPhone does a whole lot more, but I assume there will be a way to quickly bring up NFC. Perhaps by doing a double-tap of the Home Button hitting an NFC symbol on the screen and then doing Touch ID, or is that too cumbersome to initiate?

     

    For Android, NFC is on as soon as the phone is unlocked. No activation needed. It's only a tad faster, but I use it for convenience of not having to carry around all my cards, as has been pointed out here, not speed.

  • Reply 9 of 111
    Quote:

    Originally Posted by AppleInsider View Post



    In a typical retail transaction, it works like this: The customer swipes their card at a terminal?-- say, Jeff's Widgets. The card information is encrypted and sent over the wire to the bank, which decrypts it, authorizes the transaction, and generates a token.

    Without the decryption key, payment tokens are worthless to thieves.

     

     

    Quote:

    Originally Posted by Shogun View Post



    The way you describe this it sounds like hackers just need to get the encryption key and the candy store's open. Also, if the person slides their card and the real. Umber is sent to the bank, then what's to preserve the security of the number?



    Either I'm understanding wrong, or you're explaining wrong, or else it doesn't seem that great.

     

    Apple's solution adds two layers of security

    1) Tokenization - eliminates risk of authorizations being reused.

    2) Touch ID - reduces the chances of someone other than you initiating the transaction.

  • Reply 10 of 111
    solipsismxsolipsismx Posts: 19,566member
    nexusphan wrote: »
    For Android, NFC is on as soon as the phone is unlocked. No activation needed. It's only a tad faster, but I use it for convenience of not having to carry around all my cards, as has been pointed out here, not speed.

    That seems like a horrible system because you don't need NFC available for payments all but a few ten-thousandths of a percent of your usage time. You certainly don't want NFC active for power usage or security reasons when you're not intending to make a purchase. This should be a deliberate action.
  • Reply 11 of 111
    jessijessi Posts: 302member

    Sigh.

     

    Basically everything this article says is wrong.  It's clearly written by someone who does not understand security or cryptography.

     

    It's such a mess that there isn't much point in attempting to rebut it specifically. 

     

    Kinda like explaining evolution to a creationist, or physics to a global warmist.

  • Reply 12 of 111
    dasanman69dasanman69 Posts: 13,001member
    solipsismx wrote: »
    No one saying that NFC is inherently safer than a long-range transmission protocol was saying that tokens were to not be used. You use several methods of various security measures to ensure the safest possible transaction. I've talked about tokens and hashes on the secure enclave on multiple occasions whilst also saying that NFC is a safer solution to do its inherent design. Whether Apple uses any of these measures is another issue altogether, even though I think they will, pretty much anything is better than a physical card with your name, number and expiration printed on it.

    Would you suggest a numeric, alphanumeric, or a QR code for a token? Even though I think it's a great idea what's the probability of a hacker figuring out the algorithm used to generate out the next one?
  • Reply 13 of 111
    auxioauxio Posts: 2,328member
    Quote:
    Originally Posted by Shogun View Post



    The way you describe this it sounds like hackers just need to get the encryption key and the candy store's open.

     

    Correct.  However, only the bank holds the key (not the individual retailers) and so it's far less likely to fall into the wrong hands because banks tend to take information security far more seriously than retailers.  I mean, if a hacker were able to hack into the bank's database, they wouldn't even need the encryption key anyways.

     

    Quote:
    Also, if the person slides their card and the real. Umber is sent to the bank, then what's to preserve the security of the number?

     

    That's exactly the current system: the real credit card number is stored with each transaction at the retailer.  The point is that, with the new system, you wouldn't need to swipe your card anymore.  Your credit card information would be stored on your phone (encrypted via TouchID) and it's only ever sent as an encrypted token for transactions.

  • Reply 14 of 111
    Quote:

    Originally Posted by SolipsismX View Post





    I do know from using Passbook that it can be slowly at times because the iPhone does a whole lot more, but I assume there will be a way to quickly bring up NFC. Perhaps by doing a double-tap of the Home Button hitting an NFC symbol on the screen and then doing Touch ID, or is that too cumbersome to initiate?

    When you swipe your iPhone6 at a payment terminal a dialog window will appear asking you to authenticate with Touch ID.

  • Reply 15 of 111
    solipsismxsolipsismx Posts: 19,566member
    When you swipe your iPhone6 at a payment terminal a dialog window will appear asking you to authenticate with Touch ID.

    That seems like a good solution so long as it shows at least the amount that will deducted, lists the party who is asking for the funds with an SSL like certificate that can be verified, if need be, and have a confirm screen after you authenticate via Touch ID, although this would be a bit tricky to do whilst maintaining NFC's magnetic loop so not using NFC or using BT to setup the transaction before you actually make the purchase via NFC could be utilized.


    edit: If it allows you to store multiple CCs you'd need to be able to choose the one you want for that purchase. I use several to maximize my points.
  • Reply 16 of 111
    solipsismxsolipsismx Posts: 19,566member
    dasanman69 wrote: »
    Would you suggest a numeric, alphanumeric, or a QR code for a token? Even though I think it's a great idea what's the probability of a hacker figuring out the algorithm used to generate out the next one?

    I'm all for any token-based system. It's hard to imagine that whatever Apple does it's not safer than using a CC. I suppose the hash could be reverse engineered and they could find a way into your iPhone's secure enclave but that seems like a huge order compared to just stealing your credit card. Now if this hack is universal and they can use the same program to reverse any hash then even canceling your cards and inputting new ones would be useless for added security against those individuals, but they would still need access to your device, unless they can find a way to get access remotely. I suppose that whatever SW Apple uses will be isolated from every app but they can make mistakes, so who knows.
  • Reply 17 of 111
    eriamjheriamjh Posts: 1,340member
    CC companies couldn't give a rat's ass about security because the losses still are not greater than the costs of implementing something better. They don't care about anyone's personal credit or balance. All they care about is money.

    This is good ve by Apple. It may be just the beginning of a move to safer electronic payments, but it's better than the crap system in the USA.

    I just hope that they have an easy way to select cards or payment options. I don't put everything on one card.
  • Reply 18 of 111
    auxioauxio Posts: 2,328member
    Quote:

    Originally Posted by SolipsismX View Post



    I suppose the hash could be reverse engineered and they could find a way into your iPhone's secure enclave but that seems like a huge order compared to just stealing your credit card.

     

    As far as I've heard, the only known hack for the TouchID system is a faked fingerprint.  Which is very difficult to do, and a remote wipe of the phone would be able to stop it.

  • Reply 19 of 111
    solipsismxsolipsismx Posts: 19,566member
    eriamjh wrote: »
    CC companies couldn't give a rat's ass about security… All they care about is money.

    If better security means less fraudulent charges they have to refund thus creating a net gain for them then they very much care for the gluteus maximus of Rattus rattus.
  • Reply 20 of 111
    normmnormm Posts: 637member

    It seems to me the idea would be something like the following.

     

    Present authorization of a transaction takes one round trip: credit card info and amount are sent to the card issuer, and an authorization is returned if the transaction is approved.  This has the problem that all the information needed to perform another transaction is exposed to the merchant's hardware, and is visible on the wire.

     

    If we'd like to make a secure transaction just as fast, we'd like to do the same thing in one round trip without exposing any sensitive information.  This can be done using cryptography: only encrypted data ever leaves the iPhone.  The encrypted message should be non-reusable, including for example time and date as part of the encrypted transaction request.

     

    The encryption could be made very strong, with some secrets stored only on the iPhone and some only at the card issuer, and with the iPhone secrets protected in its secure enclave.  New secrets can be created and exchanged as needed, much as they are in https.

Sign In or Register to comment.