Google Pay and Apple Pay Security Review: Should You Be Afraid of Fraud?12 min read03/12/2018
With the decrease of the cash popularity, the fintech industry offers new and more convenient payment methods. We no longer need to put out our credit card from the wallet to pay for an item in the store. Furthermore, we may not even have our debit/credit cards in the pocket to make purchases. The question is in the security of the new payment methods. Is Apple Pay safe? Is Google Pay secure enough?
According to the report by Federal Trade Commission, consumers across the U.S. faced 43,436 credit card fraud cases in 2017 led to lost $74 million compared to 36,230 reports in 2016 with the total loss of over $76 million. With such statistics in mind, consumers may avoid using PayPass/payWave credit cards or other contactless payment methods like Apple Pay or Google Pay. On Youtube, you can find a lot of videos with electronic pickpocketing in public which refers to the identity theft with the radio frequency identification (RFID) technologies that include POS-terminals.
Is it really possible to steal money by leaning a POS terminal to the purse or intercepting credit card information with a sniffer? Is it safe to use Apple Pay and Google Pay? CyberPulse will sort things out.
How contactless payments work
Any transaction is impossible without intermediaries connected to a payment system like VISA or MasterCard. Unlike transactions between individuals, only legal entities (merchants) with an acquiring bank agreement can charge credit or debit cards. Vocabulary:
- Merchant — a person or organization that provides services or goods.
- Acquiring bank — a bank that provides merchants with payment services via credit and debit cards. This is a bank with a merchant’s bank account where incoming payments come.
- Issuing bank — a bank that has issued a certain credit/debit card. This is a bank with a customer’s bank account.
- International payment system (IPS) – an international intermediary system that allows banks all over the world to make transactions without the need for making agreements with each particular bank. All banks connected to the IPS work in accordance with the same rules which significantly simplifies the cooperation between them.
- Cardholder — a person who has made a credit/debit card service agreement with the issuing bank.
How a wire transfer works:
- Customers lean their credit card to the POS terminal.
- The POS terminal transmits received data from the card to the acquiring bank via the Internet.
- The acquiring bank sends a request to the issuing bank via one of the international payment systems whether a certain cardholder can make a purchase.
- The issuing bank confirms or declines the transaction.
- The POS terminal prints a slip.
In the case where the acquiring and issuing bank is the same facility, both steps 3 and 4 happen in the same bank.
How does Apple Pay work?
Goldman Sachs analysts say that Apple Pay is the leading mobile payment platform with 90% of all mobile contactless transactions across the U.S. as of 2017. The experts explain this tendency by the fact that Apple was first to launch their payment platform among other vendors like Google and Samsung. When it comes to the working principle, there’s no significant difference between Apple Pay and Google Pay.
What is Apple Pay? – It’s a mobile payment platform that enables users to make purchases using their smartphones enabled with the near-field communication (NFC) technology. Mobile payment systems like Apple Pay and Google Pay work on a base of the EMV Payment Tokenisation Specification. This technology replaces your PAN with its secure payment token that also makes transactions possible. Therefore, your card data remains hidden and no device or person can disclose it during the payment. How Apple Pay and Google Pay work:
- A smartphone owner adds his or her credit card to a mobile payment system.
- The system receives information about the user’s credit card.
- The vendor sends a request to the issuing bank via an international payment system whether this bank supports the EMV Tokenisation.
- The IPS generates a virtual card (token).
- A smartphone saves the token in its secure memory.
A virtual card has the same attributes as the physical cards have such as PAN and expiry date. However, the PAN and expiry date of the virtual card differ from the ones printed on the physical card.
Transactions via mobile payment platforms happen in the same way as via contactless cards. You just need to lean your smartphone with the near-field communication (NFC) module to the POS terminal and confirm the transaction with the password, pattern, PIN, fingerprint, or FaceID. The issuing bank recognizes the transaction with the virtual card as with the physical one. When you pay with your smartphone, the POS terminal recognizes a physical VISA or MasterCard credit card. If the issuing bank blocks the physical card, the token gets blocked too.
How frauds can try to steal your money via contactless payments
The payment process via mobile payment platforms have few differences from standard contactless payments with chip cards. Before making any verdict regarding Google Pay and Apple Pay security, we will cover the two most known ways of stealing money when consumers make a purchase with their contactless cards.
Method #1: Electronic pickpocketing
Electronic pickpocketing is a process of stealing money by leaning a POS terminal to a victim’s pocket or purse with contactless payments cards. To charge payment cards, frauds need a portable GPRS-enabled POS terminal connected to the acquiring bank and registered legal entity. A new POS terminal costs about $565 while prices for a shell company vary from $1,500 to $4,000. Therefore, frauds have to spend about $3,000 in total. Besides these expenses, they can face a few concerns when trying to charge contactless credit and debit cards.
Concern #1: Floor limit
You can make low-value transactions without the need for confirming them with a PIN or any other confirmation method. Such transactions have the floor limit that varies from country to country. This limit is equal $50 in the U.S., £30 in the UK, and €20 in Spain. The floor limit can be set with a POS terminal or by issuing bank. In addition, you can set this limit in the card setting menu. If you set the Cardholder verification method (CVM) as Signature-Paper, any transaction regardless the amount will be authorized without the confirmation request.
Therefore, frauds can try to charge less than $50 with each transaction attempt. However, they can’t charge the same card several times in the short period since the system will request the PIN confirmation. That’s why they have to charge a different person each time. Furthermore, multiple transactions with the same amount within the short period will trigger the bank anti-fraud security system which will make the fraud change the amount every time he tries to charge a particular card. This will reduce the potential income and increase the time needed for a payoff.
Concern #2: A few cards in the wallet
In reality, you rarely carry the only one contactless card in your wallet. You may have different chip cards including credit, debit, and travel cards. In this case, the further working principle varies from terminal to terminal. Some POS terminals display the error once they recognize more than one contactless card, other ones can either choose a random card or just ignore all of them without the error notification.
Those POS terminals that potentially can recognize contactless payment cards among other different cards have the anti-collision system. This technology enables the POS terminal within the ISO-14443A protocol to recognize the card Select Acknowledge (SAK) response. If the SAK response corresponds to the payment card, then this card is likely to be credit or debit. However, this is not a 100% guarantee. Furthermore, even though a particular terminal has the anti-collision feature, it displays the error in most cases where three or more cards respond to its request.
The cost price of the electronic pickpocketing is $3,000 + transaction fees of 2-3%. In total, frauds need to make at least 62 successful transactions taking into account the floor limit. Since they can’t charge $49.99 every time, we can assume that frauds have to make about 100 transactions to make their attacks pay off. Taking into account the issues they can face, it will take months to steal a couple of thousand dollars.
However, it’s not that easy as it seems. The stolen money will come to the fraudulent bank account only in a few days. If some victims report to their issuing bank about suspicious transactions on their accounts, a bank will block frauds’ account before they receive money. Furthermore, the percentage of successful transactions can be dramatically low since, instead of pockets, we often carry our credit cards in bags, purses, or thick wallets that are significant barriers for the terminal signal.
Despite the electronic pocketing is a real problem, the cost price of such attacks is much higher than the effort needed to pay them off. The overall percentage of successful transactions is unlikely to be higher than 10%. How safe is Apple Pay in this case? When it comes to mobile payment platforms, they request the confirmation for each transaction regardless of the amount. To activate the NFC module on iOS-based devices, you have to use Touch ID or Face ID. For Android smartphones, you have to confirm the transaction with your fingerprint, pattern, password, or PIN. This makes electronic pickpocketing worthless with Apple Pay and Google Pay.
Method #2: ID interception
The other way how frauds can try to steal money from your contactless card is to intercept its information like PAN and expiry date. They can do it using an NFC sniffer that stores the intercepted data on the SD memory card. To install a sniffer on the POS terminal, a fraud has to work as a cashier in the store you make purchases in or as a courier with a portable terminal. NFS sniffers have an antenna placed between the terminal and chip card. Using the antenna, they intercept all the transferred data.
Recently researchers from Checkmarkx demonstrated the vulnerability of the NFC technology. Using the NFCdrip attack involving modifying NFC operation modes for data modulation, hackers can intercept sensitive data sent by NFC-enabled mobile devices at a distance up to 60 meters. The NFCdrip relies on the on-off keying which the simplest form of the amplitude manipulation where the presence of a signal equal 1 and its absence is 0. The attack can be successful even though a target device is in the flight mode.
What kind of data does a POS terminal receive from a contactless card?
Transactions between POS terminals and contactless cards are protected by a cryptographic signature which is a unique transaction ID that protects POS terminals from replay attacks. These attacks imply repeated sending the same data to the terminal to charge a chip card more than once.
According to the EMV Payment Tokenisation Specification, sniffers can intercept the full PAN and expiry date. Despite they can’t intercept CVV2, the PAN and expiry date are enough to make purchases on some online stores via email, phone, or the Internet. The type of such transactions is called Card-Not-Present (CNP) which refers to the situation when customers remotely provide the information about their cards.
When it comes to mobile payment platforms, as mentioned above, they replace the real payment card information with the totally different virtual one (token). This virtual data can be used only for Client Present (CP) transactions where the card signs the transaction with a cryptographic signature. That’s why the security behind Apple Pay, Google Pay, and Samsung Pay is reliable. These platforms are protected from ID theft attempts with a sniffer.
5 myths about Apple Pay and Google Pay
Despite the growing popularity of mobile payments, there are a lot of myths related to the security of Google Pay (formerly Android Pay), Apple Pay, and other similar systems.
Myth #1: Apple Pay/Google Pay copies credit card data
A microcontroller credit card has the secure memory damp with the unextractable cryptographic information that’s why chip cards can’t be copied.
Myth #2: Every time you make a purchase with Google Pay/Apple Pay, your smartphone connects to the Internet.
Some people doubt the Apple Pay security since they think the system sends data via the Internet. In fact, mobile payment platforms don’t connect to the Internet during the transaction with a POS terminal. All the necessary information is stored on the smartphone.
Myth #3: With every payment, the system generates a new primary account number
Virtual card data remains the same during the payment. You can make sure in it by checking the last few primary account number (PAN) digits on the slip.
Myth #4: Google Pay/Apple Pay fees
You will pay the amount set as a cost of the item you purchase plus VAT. Your issuing bank can charge a fee in correspondence with your card service agreement. Neither Apple Pay nor Google Pay charges additional fees.
Myth #5: Apple Pay/Google Pay can accidentally charge you twice
This myth appeared because of the accident double transactions in public buses where terminals may charge you every time you lean your travel card to it. When it comes to POS terminals, such a scenario is hardly possible since they decline data exchange once they receive the necessary information.
Why Apple Pay and Google Pay are more secure than contactless cards
|Google Pay and Apple Pay vs contactless cards|
|Threat||Apple Pay/Google Pay||Contactless cards|
|Replay attacks||Apple Pay and Google Pay request the authorization for each transaction. Once the system has sent all the necessary data, it stops the data transferring process with a POS terminal. A new transaction request from the terminal will trigger another confirmation request on your smartphone.||Outdated magnetic stripe contactless cards, which are unprotected from replay attacks, can’t control the number of signed transactions. POS terminals with malware can charge these cards more than one time even though the cardholder has left the store.|
|Electronic pickpocketing||POS terminals can’t recognize your smartphone as a virtual card until your authorization.||Within a floor limit, POS terminals can charge contactless payment cards without any authorization.|
|ID theft||Unlike contactless cards, data intercepted from Apple Pay and Google Pay with a sniffer can’t be used for online payments or other CNP transactions via email or phone.||Frauds can use the card information intercepted with a sniffer for CNP payments via Internet, phone, or email.|
|Personal data theft||Mobile payment platforms don’t disclose customer’s personal data like a cardholder name.||Contactless cards can transfer customer’s personal data such a cardholder name or even purchase history.|