Digital Transactions Authoritative, insightful and timely information for payments professionals
What’s that big, juicy new target out there for cyber-hackers? Apple Pay, of course. And don’t forget ATMs, either, since many deployers have yet to upgrade machines running old, increasingly vulnerable versions of Microsoft Corp.’s Windows XP operating system.
Apple Pay and ATMs are included on Woburn, Mass.-based data-security services provider Kaspersky Lab Inc.’s newly released list of nine security predictions for 2015. The top targets will be banks, which face the threat of direct attacks in which hackers try get into a financial institution’s network. Once in, the cyber-thieves may try to remotely direct ATMs to dispense cash or steal enough information to initiate large transfers from corporate accounts via the SWIFT network, an international financial messaging service.
Banks, however, have always attracted hackers. Apple Pay, which went live only in October with the release of Apple Inc.’s iPhone 6 and Apple’s iOS 8 mobile operating system, is the new target on the block. It’s a target not because of any apparent security flaws involving its near-field communication (NFC) wireless technology, data tokenization and Touch ID fingerprint biometrics, according to Patrick Nielsen, a senior security researcher at Kaspersky. “It really doesn’t have that much to do the security of the platform,” Nielsen tells Digital Transactions News, adding that Apple Pay is far more secure than a magnetic-stripe payment card.
Instead, the reason bad guys will be eyeing Apple Pay is much more low-tech: Apple’s increasing market share, which means more potential electronic loot to steal. According to technology research firm Gartner Inc., Apple’s Macintosh line accounted for 10.8% of U.S. desktop computer sales in the first quarter. A market share of not quite 11% doesn’t sound like a lot, but it’s about twice Apple’s market share in the 1990s. The iPhone, meanwhile, is the single best-selling smart phone even though it commands less than half the market. And while the new Apple Pay might account for 1% of mobile payments currently, its share could easily go to 5%. At that level, Apple Pay “is much more interesting for people who want money from these attacks,” Nielsen says.
Apple, which uses a proprietary or “walled-garden” approach to hardware and software, is the most “locked-down ecosystem” and tends to have somewhat better security than rival computer system providers, but no computer is invulnerable, says Nielsen. He also notes that well-known security researcher and white-hat hacker Charlie Miller was the first to “jailbreak,” or remove built-in controls, in an iPhone’s operating system and has demonstrated that a smart phone with NFC could be used to control another phone. Still, Nielsen believes Apple Pay offers a better promise of security than just about any other mobile-payment service out there today. “Apple is the company that has the best chance of pulling this off,” he says.
Meanwhile, ATMs face increasing security threats in large part because so many deployers have failed to upgrade Windows XP, which has run the vast majority of ATMs for years but which Microsoft stopped supporting in April. That means no more bug fixes or security patches.
While some banks and retail ATM operators have installed Microsoft’s Windows 7 or other operating systems, “there’s no rush” to replace Windows XP, says Nielsen, affirming what bankers and ATM industry executives told Digital Transactions magazine last March. In part, that’s because “there hasn’t been a huge outbreak of ATM malware,” says Nielsen.
That situation could change rapidly, however. There have been enough hacks aimed at ATMs that Kaspersky predicts an increase in so-called Advanced Persistent Threat (APT) attacks, which tend to be of long duration, and which could result in hackers controlling the “brains” of ATMs and even manipulating entire ATM networks in real time through the Internet. “That’s the thing that’s most scary to me,” Nielsen says.
Nielsen also says many ATMs also need increased physical security, such as more locks and alarms, since many have USB ports or CD-ROM drives just behind their outer shells that can be compromised fairly easily. “That’s something we’re going to see a lot more of in the future,” he says.
