Apple Titanium Card

I have been waiting for the delivery of my Titanium Card to be delivered to write this evaluation.  Read it in the context of my last post.  

The card is delivered via FedEx in a large envelope.  There is a return address but it does not say "Apple."  This resists theft of the card in transit.

Inside the FedEx envelope is a tamper evident 4.5" x 6.25" x 0.25" corrugated cardboard package containing the card.  This protects against tampering with or skimming the card in transit.  

While a signature is not required for delivery, one gets a notification of delivery.  This may narrow the window of opportunity for theft from the doorstep.  

Only after receipt does one see the button in the Wallet App to "activate" the card.  This resists any use of the card prior to receipt by the legitimate owner.  

While the owner's name is on the face of the card, the card number, expiration date, and the CVV are not.  While the number is on the magnetic strip, unlike with all other cards, it is different from the number that one would use at an e-commerce site.  Thus, the only way that one might monetize knowledge of the number would be to use it to counterfeit a card.  

Note that any fraudulent use of the number on the stripe will show up immediately on the owner's iPhone so that the transaction can be reported as fraudulent and the number can be reported as compromised.  Skimming the number and counterfeiting a card for one or two uses is a high hurdle.  

The value on the magnetic stripe, provided for backwards compatibility, on a card which will be used sparingly, is a limited vulnerability.  From a security perspective, consumers should prefer Apple Pay (using iPhone of Apple Watch), EMV, manual entry of the number (from the iPhone Wallet App), and swiping the magnetic stripe in that order.  While the magnetic stripe is more convenient than manual entry, many users may never have to use either.  As point of sale devices are modernized, the requirement for any alternative to contactless or "chip" will decline.  

Finally, in the app, one can disable and enable the card.  Thus one can carry the card while mitigating the risk of fraudulent use should it be lost or stolen.  Since I expect the use of the Titanium card to be sparse, mine remains disabled by default.  Others may choose to leave it enabled by default, disabling it only should it be lost or stolen.

The vulnerability of the number on the magnetic stripe is not limited to the Titanium card; so far it is not possible to get any other credit card without this vulnerability.  On the other hand, the Titanium card does not have the vulnerability of having the primary account number, the expiration date, and the CVV on the face.  Therefore, if one is going to carry a credit of debit card with a number in the clear on the magnetic stripe, the Titanium card is the clear favorite.  

(Incidentally, I convinced myself.  I got the Titanium card, intending to put it in the drawer and never carry it.)

Limitations of Biometrics

It is Blackhat/Defcon time so it should not surprise anyone that the media is full of hacks. While the hackers pretend to demonstrate that the security mechanism is useless, most of the attacks are so expensive as to be impractical.  What they really demonstrate is the limitations of the mechanism.  Regular readers of this blog know that all security mechanisms have limitations; understanding those limitations are part of our stock in trade and I write about them often.   

A recent demonstration spoofed Apple's FaceID in only "120 seconds," as though that were the only cost of attack.  They omitted the special knowledge and access.  A recent article in BankInfoSecurityNews raised alarms over the discovery of a database of fingerprint images for sale.  

First, keep in mind that biometrics are really about convenience, not security. That is why they are best used as one factor in multi-factor systems. 

Second, they do not rely upon the secrecy of the reference but upon their resistance, at least in context, to counterfeiting. Your visage is an authenticator for your drivers license. It is public information. While a photograph of you might be able to fool a computer, no other person would be likely to confuse the photo with you.  There is too little information in the photo for it to be mistaken for you.  The more information that the implementation uses, the lower the risk of false positives but the higher that of false negatives and the more power and time required for a check.  

Finally, as this article suggests, just like passwords, biometrics are fundamentally vulnerable to spoofing and replay attacks; implementations must resist them. For example, Apple's FaceID uses tests of "liveness" to distinguish between a real person and a photo of the person or a replay of an earlier submission.  Perhaps they are better used on mobiles, where possesion of the mobile is one factor and where the instant data is compared to the reference locally and does not go across a network where it could be captured for replay.  

MasterCard to Eliminate Signatures

MasterCard has announced that in the US and Canada, it will no longer require signatures on credit card transactions.  (PINs will continue to be required on debit card transactions.)   MC says that this will be more convenient for the customer and that it will rely on other (unnamed) mechanisms and processes for security.  Let us look at some.

First, many issuers use computer aided mechanisms to detect fraudulent use by looking at such clues as location and other patterns of use.  Most of us have had calls from our banks checking on the legitimacy of activity.

In theory, the required signature resists fraudulent use of lost or stolen cards.  In practice, not so much.  Even when clerks reconciled the signature on the check to the one on the card, it was an imperfect mechanism.  In modern systems, where no one really reconciles the signature, the best that the mechanism can do is to permit the consumer to recognize disputed items that he really did sign. However, for the most part, issuers simply accept the word of the consumer that a transaction is fraudulent.  The signature does not come into play. 

The best way to resist the fraudulent use of lost or stolen cards is to check that a proffered card has not been reported lost or stolen.  This works well in the US and Canada, where most transactions take place on line.  In countries where many transactions take place off line, PINs are used. 

American Express CEO, Kenneth Chennault told President Obama that Am Ex detects many fraudulent transactions within 60 seconds by sending a notification of use to the consumer’s mobile or e-mail in real time. 

Bank of America and others resist fraudulent use by permitting the consumer to turn the card on and off using an app.  Again, works well where most transactions are on line. 

Android, Apple, and Samsung Pay resist fraudulent use by simply taking the card out of the transaction and substituting a digital token for the credit card number.  Lost mobile phones resist fraudulent reuse with PINs for security and biometrics, e.g. facial and fingerprint recognition, for convenience. 

On line merchants have never had the benefit of signatures but  can resist fraud by using PayPal or other proxies instead of accepting credit cards at check out.  Where the merchants cooperate and the consumer uses Ámerican Express at checkout, AmEx will prompt the user for a one-time-password sent to the users mobile.  This protects the merchant, the consumer and AmEx.  All of these resist “card not present” fraud. 

Only the brands and issuers really know how necessary and effective signatures and PINs are: they take the risk when they are not required.

The fundamental vulnerability in the retail payment system is the credit card number in the clear on the magnetic stripe.  Remains a risk to merchants and issuers but is only a nuisance to the consumer. 

In short, the future is mobile, tokenized, cordless, contactless, signature and Pin less, and secure.