Apple unveils the highly-secure Apple Card

Eric: Yeah, absolutely. It’s Eric Cow-perth-waite.

Jon: Awesome, thank you.

Jon: So this is Jon Brodsky from finder.com. The first thing we want to ask you about, Eric, is how you got into the security space in the first place?

Eric: Oh, wow. About 25 years ago, give or take, I went to work for a company called EDS, Electronic Data Systems, which was a huge computer and information services provider that later on got bought by Hewlett-Packard.

But at the time, sort of the mid-90s, there was not much in the way of what we today call information security or cybersecurity. It kind of was developing back then. And I ended up being part of some services contracts we were doing that called for security work, and it became really interesting to me. I was a system engineer at the time, and I sort of got some mentoring that said, “This may be important down the road.”

So, in spite of all the system engineer–type folks telling me, “You are crazy,” I headed down the security path inside EDS at the time.

Jon: Cool! So you are kind of a pioneer in the space, along with a lot of other people at Herjavec Group. Is that fair?

Eric: Yeah, I think that’s fair. When you look around, there’s not a lot of people who date back 20-plus years in the space.

Jon: Very cool. Well, then, that seems that you are going to be very uniquely qualified to answer our questions on the Apple Credit Card.

Eric: Hope so. I’ve also been using the iPhone since the first generation, so maybe that helps too.

Jon: So you are an iPhone user and you are a security person. Would it be fair to say you pick that based on security concerns, or just because you like it more?

Eric: It’s fair to say that security of my devices is a component of how I choose them.

Jon: OK, that is fair.

You’re an Apple product user. And the Apple Card presentation, which happened a couple of weeks ago now, really touted their security features.

Do you think that the Apple Card is going to be more secure than a magnetic stripe credit card?

Eric: So, there’s kind of three components to credit card security. The first one is the physical card itself and how you maintain the security of the card and the numbers on it. That kind of thing.

And then there’s the electronic information related to the card, which is all contained in the magstripe on the back of the card, right? Most major credit cards breaches you’ve ever heard of occurred because the magstripe level 2 data was being intercepted and stolen within a merchant. So that electronic data is your second major important component of the credit card’s security.

And then the last component, which is really new to us, is when you are storing a credit card in these wallets that have been built by Chase or Google or Apple — that you can store multiple credit cards in there, and you can pay with your phone just reading the information out of the wallet, etc. That’s the third major component of card security, and it’s really new to the table, right? It’s only been a big deal over maybe, what, the last three years or something.

Jon: Yeah, that’s true. And you led perfectly into my next question here, which is: Is it actually more secure to have it on your phone versus on the card?

Eric: Without going too deep in the bits and bites and technical piece of this, the short answer is yes. And the reason for that is that on your device, whether it’s an Apple device or some other competing device, the card information is stored in a sequestered physical component on the phone.

There is a linkage made to the issuing bank. And you are not actually giving them your card number, you are giving them the card information that is presented by the wallet, which is not the same as your card number.

And then on the back end, it’s all connected back to the issuing bank. So the card information never goes to the merchant in the way that it does when you do a magstripe swipe.

Jon: I didn’t realize that. So all the information is, for lack of a better term, hashed somewhere on the way. Is that right?

Eric: Yeah. And it’s been tokenized in its presentation to the merchant.

Jon: And is there a way for a sufficiently smart criminal to spoof those tokens and those hashes?

Eric: If you have the original credit card information, you could then input it into a wallet and do what it creates when you put it in a wallet on an Apple device. It creates a new token, right?

Do you use a wallet on your phone by any chance?

Jon: I do have a wallet on my phone that has a fingerprint ID that fails about 40% of the time.

Eric: So, when you put a card into that wallet, one of the things it does is it talks to the bank to make sure it’s OK to do it. And the issuing bank actually contacts you and says, “Hey, I’m doing this.”

You may recall that the first time you put your card in the wallet, Bank of America, or whomever your original bank was, sent you a note saying “I’m adding this card. Is that OK?”

Jon: OK.

Eric: So it becomes much more difficult to add a card in a fraudulent fashion to an Apple Wallet, or Google Wallet, or any of those. I don’t want to say it’s just Apple that makes that safe.

The other aspect of the card security that is really a big deal here, the more we think about it, is whether the Apple phone is safe. Are we making it difficult to access the phone both physically and electronically?

Of course, we all know about Face ID, and Touch ID, and that kind of thing, which is a big step up from four-digit PIN numbers. But it’s demonstrated to have some weaknesses still. So more secure than a PIN number, but not 100% foolproof.

Jon: And how many people, if you have an estimate handy, actually use those security features, versus keeping their phone unlocked or using something that is relatively easy to break, like a four-digit PIN?

Eric: I haven’t dug into this particular issue very much, so I’m going to be a little bit vague here, unfortunately. But it appears that because of the way that Apple does this — they just ask you during phone setup to turn on Touch ID or Face ID — that, and please don’t quote me as this is exactly right, maybe 90% of people with phones with those capabilities are using them. And one of the reasons why is that Face ID is a thousand times easier than a four-digit PIN.

Jon: It is, except when you have a 5-year-old that keeps staring at the phone, wondering whether you unlocked it or not.

Eric: That’s exactly true. But it turns out you aren’t careful sometimes about the direction you hold the phone or whatever.

But, yeah, in general Touch ID and Face ID is much easier for the end user. So one of Apple’s approaches to security has been to make stronger security capabilities also easier to use.

Jon: Got it. That’s super helpful. So it sounds like the big thing here that Apple is touting — from your perspective, at least, from a security point of view — is their wallet, which is among many, many other wallets on the market, as you mentioned.

Do you think there is any intrinsic difference to the Apple Wallet based on what we’ve heard so far versus a Google Wallet, or a Samsung Wallet, or any of the other 500 wallets out there? Chase Pay …

Eric: I don’t think there is any, when you get down to the technical level of how it’s implemented, any huge difference with the soul, with one exception. And that exception is that those other wallets on an Apple device — if you are an iPhone user, like a lot of people are, and they are using Chase Pay, or business wallet, or whatever — can’t actually use the sequestered physical storage that the Apple Wallet uses. And that makes a difference.

Other than that, there’s not a huge difference.

Jon: So what about the 55% to 60% of the market that is on Android. Is there an equivalent sequestered portion of the phone?

Eric: My understanding is that there is, and it works with Google Wallet. And then for Samsung phones, with whatever wallet they have.

Jon: OK.

Eric: To caveat that just a little bit, I haven’t looked at them as much as I have with Apple. So I’m not 100% sure.

Jon: But if that was the case, and I totally get that you are not 100% sure, then it sounds like the best wallet you can use is the one that comes preinstalled from the manufacture on whatever device you use.

Eric: I think that is a completely true statement.

Jon: OK.

Eric: Where I would say that I like the Apple idea of the Apple Card is, one, we get rid of any physical security issue on the Apple Card, because we’ve gone to a chip. And we’ve eliminated all of the physical — the number, and that CVV, and etc. — off the card.

Jon: That is super interesting, so thank you.

One last question here as we are running on time: You’ve listed a few things that consumers can do to protect themselves and their personal information when they have a wallet. What about when they don’t?

What about for all of us who are still using plastic cards, the rare metal card or the even rarer wooden card?

Eric: Of the two components of card security that have always been issues, one is the physical card itself, right? If someone else gains access to your physical card, they can charge a bunch of money on it and there is nothing you can do to stop them.

So protecting physical access to your card is very important, and this is why Apple is touting the fact that it doesn’t have any information on it, except for the chip, which means you have to do chip-and-PIN or chip-and-signature. Good idea.

The second aspect is where your card is used and where the magstripe is swiped. So being cognizant that there are lots of bad guys out there who capture credit card information using things called card skimmers, which are false fronts deployed on top of either an ATM or a POS device.

You want to be really thoughtful about not using, say, an ATM that is just in the wall of a building out on the street, because it’s extremely easy to install a card skimmer on those ATMs. Same thing with POS devices, small convenience stores like the one down your street — and I don’t mean to pick on those guys, but this is just reality: That’s where most POS card skimmers get installed at.

Think about a gas station – There is one person working there. If he gets distracted, it’s really easy for a malicious person to put a card skimmer on a POS, honestly.

Jon: Yeah, that’s true. One final final question, but it’s an easy yes/no: You think you are going to apply for an Apple Card when it comes out?

Eric: Being the ridiculously invested-in-Apple-devices guy that I am, I probably will.

Jon: Good to know. Thank you very much for your time.