NFC payments are taking over the world — or at least revolutionizing how we pay for goods in stores. In case you’re not aware, the technology is booming in much of Europe, Canada, and Asia.
The UK wants all point of sale terminals to be contactless by 2020, while more than 53 percent of Australians use an NFC app at least once per week. In China, NFC payment systems have become so prevalent that experts believe the country is on track to become the first cashless society within just a few short years.
The United States is a bit behind the curve, but gaining ground rapidly. Businesses such as McDonalds and Walgreens now offer contactless payments, with many more coming online all the time.
Chevron and Walmart both need to get with the times and get Apple Pay. It’s killing me.
— Bridget Hull (@bridgetmhull) October 2, 2017
As the number of businesses accepting NFC apps grows, so too does the number of apps. But in the Western Hemisphere, three lead the pack: Apple Pay, Android Pay, and Samsung Pay. Let’s look at the security merits of each one.
We’ve taken an extensive look at the security of Apple Pay in an article elsewhere on MakeUseOf. The app has been around since 2014. You’ll find it in all versions of the iPhone 6, 7, 8, and X. You can use it to pay in stores, and if you own a Mac, you can also use it to make online payments.
Like many apps, Apple Pay’s principal security safeguard is tokenization. Instead of storing your actual credit card numbers on the device, the app creates virtual accounts numbers.
Tokenization works thanks to a complicated process of encryption. After you’ve entered your credit card details into the app, the device encrypts them and sends them to Apple’s servers. Upon receipt of the numbers, Apple decrypts them, adds your card’s payment network, and re-encrypts them with a key that only your card network can unlock.
The provider then authorizes the addition of the card, creates a device-specific Device Account Number (DAN), encrypts it, and sends it to Apple. Apple can’t decrypt it. Finally, Apple adds the DAN to the Secure Element (SE) on your phone. The Secure Element is an industry-standard technology which we’ll talk more about shortly.
Apple also protects you against loss thanks to the Find My iPhone app. It lets you erase the device remotely and thus wipe any credit, debit, prepaid, and rewards cards you have saved. You can also use your Apple ID account page to notify your card providers. They will automatically block any payments made through the Apple ID app.
All sounds great, but Apple Pay does raise some privacy concerns. According to the app’s Terms of Service:
“Apple sends information about your iTunes and App Store account activity, information about your device, information about your device usage, and your location at the time that you add your credit, debit, or prepaid card to your bank or card issuer.”
Many of the core security features of Android Pay are the same as Apple Pay. The process of tokenization is broadly similar, but with one fundamental difference.
Instead of using the Secure Element to generate tokens, Android Pay uses a process known as Host Card Emulation (HCE).
Host Card Emulation has been part of the Android operating system since version 4.4. Instead of hosting payment credentials on a Secure Element inside a device, HCE places them in a remote environment and uses the cloud to communicate with the device.
This has some key benefits over a physical SE:
- The storage space of a physical SE is limited, HCE storage is scalable.
- An HCE element can draw on more computing power and thus implement more robust security measures.
- Remote SEs deployed via HCE leads to fewer stakeholders and lower costs for the consumer.
However, there is one security drawback: because HCE relies on a remote Secure Element, it has to allow you to make payments while you’re offline. It’s like using a temporary credit card.
The window of opportunity doesn’t last long; eventually, you’ll have to reconnect to the server before you can make more payments. But it does mean that someone who comes into possession of your device and who knows your PIN number could disable your Wi-Fi and go on a mini-spending spree before you have time to react. The risk is minimal, but it exists.
The last one of the “big three” NFC payment apps is Samsung Pay. It’s the South Korean company’s answer to Apple Pay. Like Apple Pay, it’s a proprietary app that only runs on Samsung products.
Before we get into the app’s security details, it’s worth mentioning one feature that’s not offered by either Android or Apple. Samsung Pay supports NFC point-of-sale terminals and also works with the ubiquitous Magnetic Secure Transmission (MST) and Europay MasterCard Visa (EMV) readers. As such, it’s a more holistic product.
Samsung falls back on Samsung Knox to guard against suspicious activity. In turn, Knox is built on the ARM TrustZone architecture. TrustZone security has three facets, the TIMA KeyStore, real-time kernel protection, and attestation
Samsung phones take a leaf out of Apple’s book; the Secure Element is physically located on the device itself. HCE technology is not used. In the recent Samsung S8 phone, digital security giant Gemalto was responsible for the SEs.
When making payments, all three apps are very similar. You’ll need to use your PIN or biometric ID to authorize each payment. For larger amounts, you’ll typically have to supply a signature as well. Because of the tokenization process, the vendor will never see your card details.
If you lose your phone, you can use an online app that can block and wipe the Samsung Pay app remotely.
Should You Stick With Cash and Cards?
No app is perfect — hackers are always looking for loopholes and ways to exploit you and your data.
If you follow the tech news, you’ll occasionally see stories pop up that expose flaws in NFC apps. For example, in August 2016, a security researcher argued Samsung Pay’s tokens were not sufficiently randomized and could become predictable.
Similarly, in March 2016, experts argued criminals could load stolen credit cards onto Apple Pay, use them for a brief time, then discard the phone.
Of course, the situation is worrying. But NFC apps are all more secure than using cash and the traditional signature-to-authorize credit cards. Most importantly, as the technology matures further, the security of the apps is only going to improve.
Do You Use NFC Apps?
In this article, we’ve given you a brief introduction to the security features offered by three of the biggest payment apps in Europe and North America.
Do you use NFC apps? Do you trust them? Are they secure enough? And do you think they can replace cash? You can leave all your opinions and feedback in the comments below. And remember to share this article with your followers on social media.
Image Credit: REDPIXEL/Depositphotos