There is no doubt that the smartphone is a vital aspect of modern life. We have discovered the convenience of online shopping using our phones, and making ‘mobile payments’ from wherever we are. However, this convenience does come with a trade-off: security. To provide an additional layer of security, Apple introduced fingerprint recognition in 2013. As their mobile phones still lacked a secure line of communication while an online store processes a credit card transaction, Apple developed ‘Apple Pay’. In this article, Ravi Das reviews mobile payments, the features of Apple Pay and how it works, its security features, a review of Touch ID, and how facial recognition will be used in the iPhone X.
The smartphone (along with other kinds of mobile devices) has become a vital aspect of modern life. We use our devices not only for personal ends (such as sharing photos and text messages), but also in our daily job functions. Thanks to Microsoft’s Office 365 all of the Office products (primarily Word, Excel and PowerPoint) are now available in the Cloud, enabling us to create documents, financial spreadsheets, and even sales presentations straight from our smartphones.
But there is yet another realm where we are increasingly using our smartphones: online shopping. When the concept of e-commerce and online shopping carts was first introduced in the late 90s (the time of the .com craze in the United States) people were very excited about no longer needing to pay a physical visit to a traditional brick-and-mortar store.
And the excitement has only continued to grow, because now we can do the same thing straight from our smartphones, regardless of where we are geographically. This so-called ‘mobile payment’ means we no longer have to sit in front of a computer at home to make purchases. However, this convenience does come with a trade-off: security. This is the one area in which smartphones have been lacking, with their security until recently still depending on the use of a password or PIN number. This level of security is simply inadequate for online shopping. After all, when we enter our credit card information we want to be 100% sure that it will not be intercepted by a malicious third party.
Introduction to Touch ID
To provide an additional layer of security (also known as ‘Two-Factor Authentication’ or ‘2FA’ for short), Apple introduced fingerprint recognition. The brand it created is called ‘Touch ID’. Simply put, after entering your password or PIN number, your iPhone device will ask you to place your finger on a small optical sensor at the bottom of the device (see Figure 1). If your finger is scanned and there is a positive match, you are authenticated for full use of your iPhone. Typically, the enrolment process is done when you first purchase an iPhone or upgrade your current device. Keep in mind, however, that Touch ID only secures the hardware; it does not create a secure line of communication while the online store processes your credit card transaction from your iPhone. In order to address this, Apple developed ‘Apple Pay’
An overview of Apple Pay
Apple Pay is essentially a mobile app which can be downloaded and installed on your iPhone or iPad.
Because it is deemed to have more robust security than other prominent mobile payment platforms such as Google Wallet, Apple Pay is supported by major banks worldwide, including for example JP Morgan Chase, Bank of America Corporation and Citigroup, Inc. Once the end user has downloaded the mobile app and entered their financial information (such as credit card number or bank account), they can make payments using their iPhone or iPad. First, the user must enter their password or PIN number. Once this has been accepted, they are then prompted to further confirm their identity using Touch ID, the fingerprint recognition embedded in the iPhone or iPad (see Figure 1).
It should be noted that the only time your credit card or banking information is ever stored in Apple Pay is when you first enter it into the mobile app. You can also take a picture of your credit card and upload it into Apple Pay. If this particular method is utilised, the image is fully encrypted and sent to the servers at Apple for decryption. From here, the credit card information is then checked for authenticity with the issuer. After this process has been completed Apple re-encrypts the credit card information with a public key/private key combination which only the credit card issuer or network can unlock. Other encrypted information and data is also sent, such as the iTunes transaction history. Ultimately the credit card issuer can either allow or deny a specific credit card to be used in Apple Pay.
Once a credit card has been approved for use in Apple Pay, a Device Account Number (DAN) is created. This is a cryptographic token which is assigned to every iPhone and iPad that uses Apple Pay. This DAN is used to generate dynamic security codes that are unique to each transaction undertaken by the end user. In a way, this is very similar to transactions made with security chip-enabled credit cards. In more technical terms, a cryptogram is generated in the Near Field Communication wireless stream between the antennae embedded in the iPhone and the reader at the Point of Sale Terminal. This cryptogram is ultimately transmitted back to the credit card issuer for approval or denial of the Apple Pay transaction.
The use of facial recognition
Facial recognition is another biometric modality that Apple introduced in its next generation of smartphones (the ‘iPhone X’). This technology actually started to evolve in the last decade and received much hype after the 9/11 attacks on the World Trade Center. Unfortunately, it did not live up to the hype and was widely rejected by both the public and business entities. Since then the technology has evolved significantly and is now used all over the world in many types of applications. Probably the best example is at international airports, where it is used to scan travellers’ faces from a distance as they walk along. An example of a facial recognition system is shown in Figure 2.
Given the advancements in this technology, the manufacturers of smartphone devices are now seriously considering using facial recognition instead of fingerprint recognition as a component in the 2FA approach. In fact, in the iPhone X the Touch ID system is eliminated and replaced by facial recognition. This will be used to secure both the iPhone itself and Apple Pay.
One of the reasons why facial recognition failed to live up to the hype in the last decade was that it was highly prone to spoofing. In other words, after one image was taken of a particular individual, the system could easily be tricked by an image of another individual with a similar appearance. Two sets of neural network technology – a form of artificial intelligence – are utilised to combat this weakness in the iPhone X. The first set, Apple claims, was trained on over 1,000,000,000 invisible infrared dot-based images. The various mathematical formulas created from this are then used to help confirm the identity of the eventual owner of the iPhone X. The second set will be used to help combat any spoofing attempts by cyberattackers.
As with Touch ID, Apple does not intend to release any sort of information or data on how the neural network technology works. Because of this mystery, many critics view the new facial recognition system as a black box approach.
Using this new technology has a number of distinct advantages, namely:
While the chances of reverse engineering the mathematical formulas which comprise the verification templates are very small, using neural network technology makes it just that much more difficult. In a way, this supports the black box approach that Apple is taking.
The facial recognition data cannot be stored offline or in another device that is peripheral to the iPhone X.
- One of the greatest weaknesses of facial recognition has been allowing for the aging process of the end user. Apple claims that the use of neural network technology will allow the aging of features to be captured in real time as they occur.
Another weakness of facial recognition concerns dealing with any meaningful changes the end user makes to their face. For instance, if a subsequent image was taken of the
- individual wearing sunglasses, the technology would be unable to compare this to the original image (assuming no sunglasses were worn in the original). However, it is assumed that the neural network technology will take this into account and be able to make a distinct comparison of the two images in this example.
- One disadvantage is that Apple recommends that the new security system should not be used by individuals under 13 years of age because of the rapid changes in their facial features. However, this is not expected to have a dramatic impact on the overall market penetration and growth of the iPhone X.
This article has examined the use of Touch ID, Apple Pay and facial recognition in the next generation of mobile devices, specifically the iPhone X. There has been little controversy surrounding the use of Touch ID, given that the system is based on using the individual’s own fingerprint to confirm their identity. Conversely, facial recognition continues to get a lot of pushback from the public, with people viewing it as a ‘Big Brother’ way of keeping tabs on the population. While one of the main weaknesses of facial recognition has been resolved by the use of neural network technology, it will be interesting to see how the other weakness described plays out now that the iPhone X is officially launched.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.