Can Apple Pay overcome security concerns and transform contactless payment in the UK?

As Apple's new mobile-based payment system launches in the UK, questions remain over security and privacy, as it can collect a detailed profile of its users’ shopping habits. Jamie Nimmo reports on the new contactless technology

Click to follow
The Independent Tech

Steven Spielberg’s 2002 film Minority Report conjures up an eerie, futuristic world of targeted advertising where privacy no longer exists. Fast-forward 13 years and the idea might not be far off the mark, if Apple Pay proves as much of a hit as the tech giant hopes it will be.

Its mobile payment system  launches in the UK for owners of the iPhone 6, the Apple Watch and even those with the latest versions of the iPad. It will allow users to upload credit or debit cards to Apple’s Passbook, and then pay for goods by simply holding their device against contactless readers in shops.

Swathes of retailers and other vendors have already signed up for the service, including McDonalds, Marks & Spencer, Starbucks, Boots and Nando’s. When launched, more than 250,000 locations will accept Apple Pay.

Unlike with contactless payments, where anyone can use a card, iPhone users will need to hold the fingerprint scanner while tapping as an added security measure.

Security is indeed a big selling point for the iPhone maker. When we pay for goods in a shop, we hand over our credit or debit cards, freely giving away our card numbers and our identities.

 

Users of Apple Pay are given a unique “device account number” which is stored in the iPhone’s dedicated chip – and importantly never on Apple’s servers – thereby “tokenising” the card number, to use an industry term. That means the vendor does not gain access to your personal information, only the special number Apple gives you.

Where do I sign up, I hear you ask. But hold your horses. While it’s true that retailers will not have access to our details, the largest public company in the world will, if only for short periods of time.53-Apple-Pay-PA.jpg

Apple will be privy to our all-important spending habits and will quickly be able to create a virtual profile of each of its users: where we shop and how frequently; what we buy; how much we spend; and so on.

Mike Weston, the chief executive of the London-based data science consultancy Profusion, explained how users sign away their privacy when accepting the terms and conditions. “Our spending habits can be quite revealing of our behaviour and preferences,” he said. “When this information is combined with our browsing habits, social media profiles and location (via GPS on our phones), it paints a very vivid picture. As the terms and conditions linked with using applications like Apple Pay essentially gives Apple carte blanche to use the data they gather, it puts a lot of power in its hands.”

Mr Weston added: “We should assume it is in Apple’s interest to use this information responsibly. However, it is unsettling that a single corporation could know more about us than the Government, banks and security services combined.”

It makes Apple invaluable to other businesses that want access to our shopping habits. When Facebook shifted its users across to its private messaging service Messenger last year, there was uproar when the few who took the time to scroll through the terms and conditions realised they were agreeing to being snooped on for more targeted advertising.

From a security perspective, Mr Weston believes that if Apple Pay takes off, it will “not only paint a huge bullseye on Apple but also on mobile devices generally”. He said: “By having so much personal information concentrated on our mobiles – social media profiles, email accounts, apps and now payment information – the damage that criminals can do with access to our phones is terrifying to think about. We have to question whether our data is safe enough on our mobiles.”

The US version of Apple Pay launched in October last year. There have already been issues with fraudsters adding stolen card details to their devices, making it easier to get around chip-and-pin security.

Credit card fraud is a major problem across the pond. Just look at the huge data breach at the general merchandise  giant Target, which exposed the card details of up to 40 million customers.

Apple’s main rival in this field, Google, is preparing to launch Android Pay, its own mobile payment system, later this year. Experts have suggested that Apple could be vulnerable to a data hack, given that it is the first to venture into the mobile payments space on such a scale.

George Anderson, a director at the web security firm Webroot, reckons that as with all new technology, weaknesses will be exposed at some point. “When this happens Apple will need to be able to act quickly to reduce the impact, protect users and maintain trust in the technology,” he said.

The fact that Apple is only expected to process transactions below £20 in value, in line with the current limit for contactless payments, suggests it is playing it safe in Apple Pay’s infancy.

Mary Ann Miller, senior director, fraud executive advisor & industry relations at the financial crime specialist NICE Actimize, is critical of the low limits. “I really don’t see how this sort of policy could be taken seriously – it sends a wrong message to consumers,” she said. “In fact, as a consumer my first reaction would be not to use this product. With the limits set so low, the message is, ‘This is not safe to use’.”

Comments