Banks rubbish Apple's security claims over NFC access

Apple's claims that opening up access to the NFC chips in its iPhones would compromise the device's security are unfounded, three of Australia's biggest banks say.

Westpac, NAB, and the Commonwealth Bank, alongside Bendigo and Adelaide Bank, are currently lobbying the ACCC to let them join forces to pressure Apple into providing access to its NFC chips so they can offer their own mobile wallets on the iPhone.

The banks started their campaign in July when they asked the ACCC to let them form a cartel. Their request for interim approval was denied in August, and the ACCC is expected to make a longer term decision imminently. 

The banks argued Apple is limiting competition and customer choice by restricting them from offering services on iOS as they do on Android. Apple uses the NFC chip to run its Apple Pay mobile payments platform.

Apple has claimed, among other things, that opening up NFC access would compromise the security of its devices.

However, in their latest submission to the debate, the banks on Friday rebuffed Apple's claims and said the tech giant had failed to provide any evidence that opening up the NFC function would affect the security of the iPhone and any mobile payments platform running on it.

Apple had cited cases where Android devices were susceptible to third-party attacks via malicious apps that use the device as an NFC reader, where attackers could obtain Samsung Pay tokens used by its MST [magnetic secure transmission] hardware, and where access to the NFC radio on Android could be exploited via published APIs.

"It is important to distinguish between potential security issues that happen to involve Android devices, and the suggestion that the potential security issues actually arise because of the provision of access to the Android NFC function," the banks said in their submission.

"None of the claims about potential security issues are directly linked to the provision of access to NFC functionality."

The banks said each of Apple's examples involved older and less secure payments methods, or card details store in cleartext on merchant servers.

"The applicants are not aware of any report that the payment methods used by NFC mobile wallets have been compromised on any platform," they wrote.

"That is, if an authentic card is added to an NFC mobile wallet with security features that may include a hardware secure element, tokenised credentials and strong encryption, a secure customer verification method such as a long PIN or fingerprint verification, and a dynamic cryptogram generated for each transaction, it does not appear to have been demonstrated even in a controlled environment that these credentials can be stolen and used for fraudulent transactions."

The banks argued NFC payments - which they said are typically low-value - presented a lower security concern than the sometimes large-value payments initiated through web browsers, QR codes, mobile banking apps and Bluetooth connections, which aren't always recoverable in cases of fraud, like NFC payments are.

"Apple has not provided any credible argument to the applicants that granting access to the iPhone’s NFC function would present a particular threat to the security of iPhone payments or any plausible harm to iPhone users," they told the ACCC.

"If it has provided any such argument to the ACCC on a confidential basis, the applicants urge the ACCC to test this argument with an independent technical and security expert.

"Otherwise, the only conclusion to be drawn is that Apple is refusing to provide access to the NFC function in order to prevent competition with Apple Pay and avoid any downward pressure on the supra-competitive fees it can charge for Apple Pay."

Last week Apple signed a deal with payment solutions provider Cuscal to bring Apple Pay to 31 of Australia's smaller banks and financial institutions.

Cuscal said it will "soon" enable Apple Pay for the likes of Teachers Mutual Bank, My State, Credit Union Australia, Defence Bank, and Australian Unity, among others.