iTokens: Why it makes sense for Apple's rumored payment system to use tokenized transactions
Apple is finally expected to announce its entry in the mobile payments arena alongside the "iPhone 6" at a media event on Tuesday in Cupertino, and rumors suggest that the new system will be based around tokenization for enhanced security. AppleInsider took a look at what that means for users.
The theft of payment card data has become a major problem in recent years. Back-of-house breaches at retail chains like Target -- and more recently, Home Depot -- have attracted headlines, but theft from insecure online storefronts and sophisticated "skimmers" on ATMs and point-of-sale terminals has also increased at an alarming rate.
News coverage of such thievery is often breathless, whipping a largely non-tech savvy population into a frenzy over the dangers of wireless technology that they don't understand. For proof, one needs to look no further than the booming cottage industry of wallets and purses and passport holders that act as portable Faraday cages, ostensibly to protect against the entirely overblown threat of "walk-by hacking."
The real problem comes from merchants and payment providers that transmit and store card data with inadequate encryption or weak security practices. In fairness, this is a difficult technological nut to crack for many small businesses and startups; that's why the payment industry is moving rapidly toward tokenization, in a bid to lower the number of weak links in the payment chain.
In a typical retail transaction, it works like this: The customer swipes their card at a terminal?-- say, Jeff's Widgets. The card information is encrypted and sent over the wire to the bank, which decrypts it, authorizes the transaction, and generates a token.
The bank then sends the authorization result and the token back to Jeff's Widgets. Jeff can safely hold on to the token along with the transaction record; without the bank's encryption key, there's no way for a thief to reverse the token and discover the real card number, which is stored securely in the bank's token vault.
Without the account number, thieves can't create duplicate cards or make purchases online. That's why Visa, MasterCard, and American Express proposed a global tokenization standard last year, and Visa is set to roll out its own tokenization service this month.
Visa, MasterCard, and American Express should be familiar names to Apple watchers -- the heavyweight financial firms are all rumored to be on board with Apple's payment plans.
When it comes to payments, though, Apple is expected to employ a slightly different method of tokenization. According to Bank Innovation, rather than issuing a single immutable token, the rumored wireless payment system will generate unique one-time-use tokens for each transaction.
An Apple-assigned patent covering tokenization, filed in 2009
This means that even if a malicious actor were able to intercept the wireless transmission containing the token, it would be useless --?the token wouldn't be accepted for any future payments. That's important for a number of reasons, not the least of which is that it greatly simplifies any argument Apple will need to make for the security of its new payment system.
Apple has nearly 1 billion credit cards in iTunes, most belonging to relatively high-income consumers. iTunes's security has rarely come into question, but it's not clear how far that goodwill would extend to a mobile payment solution; an easy-to-understand implementation of single-use tokens that leave virtually no room for thieves to operate would help a great deal.
At the end of the day, the widespread adoption of wireless mobile payments will come down to two things: merchant support and consumer trust. Apple has shown that they've got the clout to handle the former; if they can also secure the latter, they might soon have another "world's biggest" plaque to hang on the walls at Infinite Loop.
The theft of payment card data has become a major problem in recent years. Back-of-house breaches at retail chains like Target -- and more recently, Home Depot -- have attracted headlines, but theft from insecure online storefronts and sophisticated "skimmers" on ATMs and point-of-sale terminals has also increased at an alarming rate.
News coverage of such thievery is often breathless, whipping a largely non-tech savvy population into a frenzy over the dangers of wireless technology that they don't understand. For proof, one needs to look no further than the booming cottage industry of wallets and purses and passport holders that act as portable Faraday cages, ostensibly to protect against the entirely overblown threat of "walk-by hacking."
The real problem comes from merchants and payment providers that transmit and store card data with inadequate encryption or weak security practices. In fairness, this is a difficult technological nut to crack for many small businesses and startups; that's why the payment industry is moving rapidly toward tokenization, in a bid to lower the number of weak links in the payment chain.
What is tokenization?
Broadly speaking, "tokenizing" means swapping out the actual card number for a different, representative number -- a token. The token is generated by running the account number through a cryptographic function that can only be reversed with a key held by the token issuer, usually a bank or payment processor.In a typical retail transaction, it works like this: The customer swipes their card at a terminal?-- say, Jeff's Widgets. The card information is encrypted and sent over the wire to the bank, which decrypts it, authorizes the transaction, and generates a token.
Without the decryption key, payment tokens are worthless to thieves.
The bank then sends the authorization result and the token back to Jeff's Widgets. Jeff can safely hold on to the token along with the transaction record; without the bank's encryption key, there's no way for a thief to reverse the token and discover the real card number, which is stored securely in the bank's token vault.
Without the account number, thieves can't create duplicate cards or make purchases online. That's why Visa, MasterCard, and American Express proposed a global tokenization standard last year, and Visa is set to roll out its own tokenization service this month.
Visa, MasterCard, and American Express should be familiar names to Apple watchers -- the heavyweight financial firms are all rumored to be on board with Apple's payment plans.
So what about Apple?
Apple has some experience with tokenization already when it comes to sensitive data: this is essentially how Touch ID is implemented on the iPhone 5s, though the "token vault" is on the device itself in the form of the A7 chip's Secure Enclave.When it comes to payments, though, Apple is expected to employ a slightly different method of tokenization. According to Bank Innovation, rather than issuing a single immutable token, the rumored wireless payment system will generate unique one-time-use tokens for each transaction.
An Apple-assigned patent covering tokenization, filed in 2009
This means that even if a malicious actor were able to intercept the wireless transmission containing the token, it would be useless --?the token wouldn't be accepted for any future payments. That's important for a number of reasons, not the least of which is that it greatly simplifies any argument Apple will need to make for the security of its new payment system.
Apple has nearly 1 billion credit cards in iTunes, most belonging to relatively high-income consumers. iTunes's security has rarely come into question, but it's not clear how far that goodwill would extend to a mobile payment solution; an easy-to-understand implementation of single-use tokens that leave virtually no room for thieves to operate would help a great deal.
At the end of the day, the widespread adoption of wireless mobile payments will come down to two things: merchant support and consumer trust. Apple has shown that they've got the clout to handle the former; if they can also secure the latter, they might soon have another "world's biggest" plaque to hang on the walls at Infinite Loop.
Comments
Either I'm understanding wrong, or you're explaining wrong, or else it doesn't seem that great.
This is what I said all along. While people are arguing about which methods to transfer data are safer (NFC vs BT vs WiFI vs LTE and claiming NFC is safer due to the short distance) I stated that security lies not in the method of data transfer but not sending personal/confidential data in the first place, and replacing that data with some type of ID or key (token if you like) that is useless to thieves even if they did capture it.
But will it be fast? One of the drawbacks of chip-based credit and debit cards is it actually slowed down the payment process, rather than speeding it up.
I don't think it is about speed. It is about convenience & security.
Arguably a token based purchase made from an iPhone is potentially a lot more secure than a plastic card with a number and magnetic strip.
And a wave of the phone is (supposedly) more convenient than taking your wallet out, your card out, swiping (if the reader/strip are both optimal) then pinning in a code or signing a screen. Even if its hold up your phone, wait for prompt, Touch ID, done.
No one saying that NFC is inherently safer than a long-range transmission protocol was saying that tokens were to not be used. You use several methods of various security measures to ensure the safest possible transaction. I've talked about tokens and hashes on the secure enclave on multiple occasions whilst also saying that NFC is a safer solution to do its inherent design. Whether Apple uses any of these measures is another issue altogether, even though I think they will, pretty much anything is better than a physical card with your name, number and expiration printed on it.
I do know from using Passbook that it can be slowly at times because the iPhone does a whole lot more, but I assume there will be a way to quickly bring up NFC. Perhaps by doing a double-tap of the Home Button hitting an NFC symbol on the screen and then doing Touch ID, or is that too cumbersome to initiate?
I do know from using Passbook that it can be slowly at times because the iPhone does a whole lot more, but I assume there will be a way to quickly bring up NFC. Perhaps by doing a double-tap of the Home Button hitting an NFC symbol on the screen and then doing Touch ID, or is that too cumbersome to initiate?
For Android, NFC is on as soon as the phone is unlocked. No activation needed. It's only a tad faster, but I use it for convenience of not having to carry around all my cards, as has been pointed out here, not speed.
In a typical retail transaction, it works like this: The customer swipes their card at a terminal?-- say, Jeff's Widgets. The card information is encrypted and sent over the wire to the bank, which decrypts it, authorizes the transaction, and generates a token.
Without the decryption key, payment tokens are worthless to thieves.
The way you describe this it sounds like hackers just need to get the encryption key and the candy store's open. Also, if the person slides their card and the real. Umber is sent to the bank, then what's to preserve the security of the number?
Either I'm understanding wrong, or you're explaining wrong, or else it doesn't seem that great.
Apple's solution adds two layers of security
1) Tokenization - eliminates risk of authorizations being reused.
2) Touch ID - reduces the chances of someone other than you initiating the transaction.
That seems like a horrible system because you don't need NFC available for payments all but a few ten-thousandths of a percent of your usage time. You certainly don't want NFC active for power usage or security reasons when you're not intending to make a purchase. This should be a deliberate action.
Sigh.
Basically everything this article says is wrong. It's clearly written by someone who does not understand security or cryptography.
It's such a mess that there isn't much point in attempting to rebut it specifically.
Kinda like explaining evolution to a creationist, or physics to a global warmist.
Would you suggest a numeric, alphanumeric, or a QR code for a token? Even though I think it's a great idea what's the probability of a hacker figuring out the algorithm used to generate out the next one?
The way you describe this it sounds like hackers just need to get the encryption key and the candy store's open.
Correct. However, only the bank holds the key (not the individual retailers) and so it's far less likely to fall into the wrong hands because banks tend to take information security far more seriously than retailers. I mean, if a hacker were able to hack into the bank's database, they wouldn't even need the encryption key anyways.
That's exactly the current system: the real credit card number is stored with each transaction at the retailer. The point is that, with the new system, you wouldn't need to swipe your card anymore. Your credit card information would be stored on your phone (encrypted via TouchID) and it's only ever sent as an encrypted token for transactions.
I do know from using Passbook that it can be slowly at times because the iPhone does a whole lot more, but I assume there will be a way to quickly bring up NFC. Perhaps by doing a double-tap of the Home Button hitting an NFC symbol on the screen and then doing Touch ID, or is that too cumbersome to initiate?
When you swipe your iPhone6 at a payment terminal a dialog window will appear asking you to authenticate with Touch ID.
That seems like a good solution so long as it shows at least the amount that will deducted, lists the party who is asking for the funds with an SSL like certificate that can be verified, if need be, and have a confirm screen after you authenticate via Touch ID, although this would be a bit tricky to do whilst maintaining NFC's magnetic loop so not using NFC or using BT to setup the transaction before you actually make the purchase via NFC could be utilized.
edit: If it allows you to store multiple CCs you'd need to be able to choose the one you want for that purchase. I use several to maximize my points.
I'm all for any token-based system. It's hard to imagine that whatever Apple does it's not safer than using a CC. I suppose the hash could be reverse engineered and they could find a way into your iPhone's secure enclave but that seems like a huge order compared to just stealing your credit card. Now if this hack is universal and they can use the same program to reverse any hash then even canceling your cards and inputting new ones would be useless for added security against those individuals, but they would still need access to your device, unless they can find a way to get access remotely. I suppose that whatever SW Apple uses will be isolated from every app but they can make mistakes, so who knows.
This is good ve by Apple. It may be just the beginning of a move to safer electronic payments, but it's better than the crap system in the USA.
I just hope that they have an easy way to select cards or payment options. I don't put everything on one card.
I suppose the hash could be reverse engineered and they could find a way into your iPhone's secure enclave but that seems like a huge order compared to just stealing your credit card.
As far as I've heard, the only known hack for the TouchID system is a faked fingerprint. Which is very difficult to do, and a remote wipe of the phone would be able to stop it.
If better security means less fraudulent charges they have to refund thus creating a net gain for them then they very much care for the gluteus maximus of Rattus rattus.
It seems to me the idea would be something like the following.
Present authorization of a transaction takes one round trip: credit card info and amount are sent to the card issuer, and an authorization is returned if the transaction is approved. This has the problem that all the information needed to perform another transaction is exposed to the merchant's hardware, and is visible on the wire.
If we'd like to make a secure transaction just as fast, we'd like to do the same thing in one round trip without exposing any sensitive information. This can be done using cryptography: only encrypted data ever leaves the iPhone. The encrypted message should be non-reusable, including for example time and date as part of the encrypted transaction request.
The encryption could be made very strong, with some secrets stored only on the iPhone and some only at the card issuer, and with the iPhone secrets protected in its secure enclave. New secrets can be created and exchanged as needed, much as they are in https.