Wednesday, September 10, 2014

Review of The Iphone Payment Initiation Method


After doing a bit of research on the new Iphone payment application and finding very few facts, I thought I could easily make up some facts and see if my reader(s) agree. The application initiates a payment using a token, a cryptogram, a geocoded position, and an approved amount. User authentication (biometric) occurs as a separate function from payment initiation A large acquirer routes the transaction by translating a portion of the token as a bank identification number (BIN). The acquirer forms an 8583 request using the personal account number (PAN) portion of the token which the issuing institution (or its agent, likely the large acquirer) translates to the actual PAN. No EMV required although a PKI method may have produced the cryptogram giving a nod to the EMV Imperium.

Apple cut a deal so they will assume some Reg. E payouts and that might be the devil that makes or breaks the venture. The scheme (if I am remotely near the actual facts) likely will succeed in the near term because there is easier money in data scraping electronic cash registers in regional and national chains than there is in jail breaking the I6 and launching a lunch time attack. However the imagined payment architecture is vulnerable to a lunchtime attack, (ultimately allowing intercept of NFC transmissions, and counterfeiting the results) or a Man-in-the-middle attack (intercepting and moving the auth request to another retailer while jamming the NFC with the retail receiver). Neither attack is cost effective while the keystone cops trace data scrape attackers with “tut, tut, you need EMV”. Sooner or later, however, just like the price of oil causes wildcatters to reopen wells, moving data scrapers to the iphone application, its predecessors, and its progeny will seem like a reasonable business proposition.

As long as financial institutions do not push payer funds to payee accounts with real time notification routed correctly to payer and payee then payer funds remain vulnerable to retailer foibles, mainly the false retailer belief that possession of payer financial data increases the velocity or impact of payments.

Next Blog: Something you know, something you have, and something you will think.

No comments:

Post a Comment