The Apple Watch is scheduled to ship on April 24th, and with a recent controversy over fraud on Apple’s mobile payment platform, people are asking tough questions about the security of their new smartwatch, especially about how it syncs with Apple Pay. (To learn more about how Apple Pay works – hint: tokenization – read this post.)
Much like the iPhone, the Apple Watch will include an NFC (near-field communication) chip, which is the technology behind Apple Pay and other contactless payment systems. To use Apple Pay on your phone, you usually need to hold your iPhone up to the contactless payment sensor on an NFC-equipped payment terminal, and put your finger on the Touch ID fingerprint scanner to confirm your identity. With the Apple Watch, you only need to click a button on the side of the watch, and hold it near an Apple Pay-enabled device. Apple Pay is only enabled once you’ve entered your credit and debit card information on the Apple Pay app on your iPhone, which will then sync with the Apple Watch and generate a token that will be used for each transaction from the watch. In addition to the tokenization of your payment card info, the Apple Watch includes a Secure Element chip that stores encrypted payment information as a unique Device Account Number. The Apple Watch also has a skin sensor that requires a PIN to be entered every time the watch is taken off then put back on, as well as if you try to use Apple Pay when not wearing it.
But even with tokenization, PIN, and sensor-based security measures, there are still many vulnerabilities to be aware of when interacting with the Apple Watch, especially if you use it for business reasons or within your organization. Since the Apple Watch is directly connected with an iPhone, it’s able to piggyback on the strengths of the iOS security system, but that close connection also makes the watch vulnerable to the same security issues as the phone. For instance, jailbreaking an iPhone could compromise the integrity of iOS security for your Apple Watch. The fact that the two devices connect wirelessly offers another weakpoint for hackers to exploit. In addition to these new security concerns, there are pre-existing authentication flaws to consider, in which hackers have been able to use stolen credit card information with Apple Pay.
The addition of new marketplace apps for the Apple Watch brings fresh opportunities for third parties to lure new users into downloading a malicious app. Apple Watch users should be sure to only download apps that are well-rated and highly-trusted. This is especially true when it comes to banking apps, though most are limited to offering snapshots of activity and account balances rather than full banking functionality. It seems like this is best for security reasons, at least until Apple Watch’s tires have been kicked and weakpoints have been shored up. You wouldn’t want hackers gaining access to your banking app and able to transfer money, for example. One promising feature of Apple Watch banking apps (like Citibank’s) is the ability to receive up-to-the-minute notifications of unauthorized charges – adding an extra layer of security.
While the Apple Watch certainly has its security flaws, most result from its direct integration with the iPhone or from pre-existing flaws in Apple Pay. That being said, NFC-enabled devices and payment systems are commonly considered to be the most promising way to mitigate the risks of payment card fraud. There will always be hackers attempting to steal and exploit credit card information (whether from an actual card or an Apple Pay account), so with Apple Pay’s tokenization and the Apple Watch’s biometric security, there’s more good than harm that can come from paying with your Apple Watch. However you make payments, though, be sure to monitor your accounts for suspicious activity daily and keep your devices secure.