Apple's iCloud Scandal Problematic for iWallet

For Apple, the timing couldn't be worse to launch a mobile wallet.

The Cupertino, Calif., company is investigating reports that vulnerabilities in its iCloud storage service led to the leak of intimate photos of Jennifer Lawrence, Kate Upton and many other celebrities. Even if Apple is blameless, the high-profile incident erodes the perception that iCloud is a secure service and could create doubts about Apple's ability to protect other sensitive information, such as payment credentials in its expected iWallet.

Apple may launch a mobile wallet next week when it unveils its next iPhone, and it has reportedly partnered with Visa, MasterCard and American Express as part of this effort. Last year, Apple set the foundation for a mobile wallet through the launch of the iCloud keychain, which stores users' credit card information for online shopping.

Mobile wallets can be a tough sell for many consumers, and brand image is a key element in winning their trust. The telcos behind the Isis mobile wallet learned this lesson, and have committed to rebrand their product to eliminate any possible association with the ISIS militant group.

In the wake of the celebrity photo leaks, "Apple has to provide the utmost of security and strong authentication to really assure the consuming public that their personal information and payment credentials are safe," said Richard Crone, chief executive of San Carlos, Calif.-based payments consulting firm Crone Consulting LLC.

The celebrities' leaked intimate photos were likely obtained through brute-force password cracking of iCloud accounts, according to reports. ICloud is Apple's remote storage service, which can keep automatic backups of photos and other data from users' iPhones and iPads. Apple has confirmed it is looking into these reports, according to The Wall Street Journal and CNN.

Apple did not respond to PaymentsSource inquiries by deadline. In a statement on its website, Apple said: "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions... None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone."

Apple has survived negative publicity before. The iPhone brand remains strong after the 2010 "Antennagate" scandal, in which users saw the smartphone's signal weaken when held a certain way. And Apple's brand overall has weathered the steady spotlight on labor practices of its suppliers in China.

"We've seen in the past that Apple has a fairly resilient brand," said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.

A few years ago Apple endured some negative publicity when consumers learned the iPhone's tracking capabilities could reveal their location even when the phone was switched off, Conroy said. "But this is a beloved consumer brand and those types of things fade away fairly quickly."

If Apple is determined to launch a mobile wallet next week, the iCloud scandal will not deter it, Conroy added.

"With the brands involved... there is just too much lined up and too much at stake in a launch for Apple to do any sort of delay," Conroy said. In addition, early indications are that the photo scandal has more to do with "poor credential management" on individual accounts than it does with a problem with Apple hardware, Conroy said.

Even if iCloud was not to blame for the celebrity photo leaks, any Apple wallet would face strong scrutiny from security researchers. Earlier versions of Google Wallet and the Starbucks app made headlines for security lapses that have since been addressed.

Apple has been steadily emphasizing its security capabilities, most notably through the addition of the TouchID fingerprint system in last year's iPhone. And if Apple finally adds Near Field Communication technology to its handsets, it will be able to store data in the device's secure element rather than in the cloud.

If Apple is working directly with the card brands, it would likely have even more security tools at its disposal, including tokenization of card data when payments are initiated through mobile devices.

"They have the ability to do multi-factor authentication that ties the device to the consumer, their user name and password to that device, with biometrics capability for simplifying the process as well," Crone said.

A hacker getting through the front door of iCloud to steal photos is far different than "the Fort Knox that Apple has in securing and protecting payment credentials," Crone added. And Apple has already demonstrated its ability to protect payment data through the 800 million iTunes accounts it manages, he added.

"No bank has that many payment credentials stored," Crone said.

For reprint and licensing requests for this article, click here.
Bank technology California
MORE FROM AMERICAN BANKER