6 of Apple's biggest security issues

Apple has strived to portray Apple Pay as the trusted, go-to mobile payment option for its customer base, but the company's own security problems have undermined this effort.

Some of these issues are tied directly to payments and security, particularly in Apple Pay's earliest days. Others are indirect problems that erode trust in Apple's brand, and tie into the broader discussion around how much privacy consumers are willing to give up to be a part of an increasingly high-tech, mobile and social world.

This item is compiled from reporting by PaymentsSource writers including John Adams, Kate Fitzgerald, David Heun and Michael Moeser. Click the links in each item to read more.

FaceTime turns iPhones into spies

iPhone FaceTime
A customer uses facetime on an Apple Inc. iPhone smartphone device whilst waiting outside the Apple Inc. store at Covent Garden in London, U.K., on Friday, Sept. 25, 2015. The latest models, following a hugely popular design overhaul last year that added bigger screens, may not match the success of previous releases, according to analysts. Photographer: Chris Ratcliffe/Bloomberg
There's a growing concern among smartphone users that certain apps, such as Facebook, are using the phone's mic to listen to users' discussions to target ads. While this has been disputed, it's clear that consumers are afraid of their phones spying on them.

Thus, the recent news that Apple's FaceTime app can do just that has mainstream news sites urging consumers to shut off the feature. Apple has since disabled Group FaceTime — the function used for this eavesdropping exploit — but it must rely on consumers to then re-activate FaceTime to continue using the feature. And many consumers are likely to leave well enough alone.

While FaceTime isn't inherently a payment app, Apple has steadily been transforming its other messaging platform, iMessage, into a venue for payments. If it has any hopes of doing the same with FaceTime, the service itself needs to be trusted.

Face ID's 'evil twin' problem

Phil Schiller, senior vice president of worldwide marketing at Apple
Phil Schiller, senior vice president of worldwide marketing at Apple Inc., speaks about the iPhone X during an event at the Steve Jobs Theater in Cupertino, California, U.S., on Tuesday, Sept. 12, 2017. Apple Inc. unveiled its most important new iPhone for years to take on growing competition from Samsung Electronics Co., Google and a host of Chinese smartphone makers. Photographer: David Paul Morris/Bloomberg
Face ID, a security mechanism unrelated to FaceTime, has its own set of security issues. Although Apple's facial recognition system is a huge improvement over Apple's Touch ID fingerprint system — a stranger has a one in a million chance of fooling Face ID, compared to a one in 50,000 chance of fooling Touch ID — it's much more vulnerable to being fooled by the people closest to the iPhone's owner.

"If you happen to have an evil twin, you really need to protect your sensitive data with a passcode," warned Phil Schiller, Apple's senior vice president of worldwide marketing, in a 2017 presentation announcing the first iPhone X.

This is an admission that relatives have better odds of fooling Face ID. Schiller went on to connect the dots for anyone who wasn't clear on the implications of this:

"Face ID also works with Apple Pay," Schiller said. "You look at iphone X to authenticate and hold it near the payment terminal to pay."

Apple shows a lack of confidence in Touch ID

apple touch id
A customer tries out the new Touch ID fingerprint scanner on an Apple Inc. iPhone 5c during the launch at a Verizon Wireless store in West Valley City, Utah, U.S., on Friday, Sept. 20, 2013. Apple Inc. attracted long lines of shoppers at its retail stores today for the global debut of its latest iPhones, in the company's biggest move this year to stoke new growth. Photographer: George Frey/Bloomberg
Apple's Touch ID was among the first fingerprint authentication systems to come built into smartphones, but even Apple didn't trust it fully.

iOS9, which introduced Touch ID, also raised the the minimum lock-screen PIN length to six digits, compared with the four-digit minimum used for earlier versions of iOS.

The reason is that Touch ID is still optional for unlocking the phone; if a user can't activate Touch ID or chooses not to use it, the phone always falls back to PIN authentication. Users may be more trusting of Apple's devices now that they have biometric authentication, but thieves know that all they needed to get in was a PIN. Apple also warns users against easily guessed PIN codes, such as Kanye West's "000000," but users can ignore that warning.

Card thieves were quick to exploit Apple Pay

Apple pay sticker
A sign for the launch of the Apple pay system, from Apple.Inc is seen displayed at the entrance to a McDonald's Corp. restaurant in London, U.K., on Tuesday, July 14, 2015. Apple Inc. is making the U.K. the first market outside the U.S. for its digital-wallet system as the company fights for a place in the electronic-payments industry. Photographer: Chris Ratcliffe/Bloomberg
Shortly after Apple Pay's launch, some critics blamed its enrollment procedures for enabling scammers to link stolen cards to Apple's mobile wallet. This created an illusion of security, since Apple Pay transactions were presumed to have been protected by biometric authentication.

The issue, which led some to claim that 6 percent of early Apple Pay transactions were fraudulent, stemmed from the amount of vetting each bank did when approving one of its cards to be on Apple Pay.

Apple left it up to banks to decide whether to require a phone call, text message or other verification when enrolling new cards. All of these methods introduced friction, of course, so banks had to decide on their own how much security to require before allowing a card to be linked to Apple Pay.

The celebrity nude photo scandal

Apple CEO Tim Cook and iCloud icon
Tim Cook, chief executive officer of Apple Inc., speaks about new features of the iCloud during an event at the company's headquarters in Cupertino, California, U.S., on Tuesday, Oct. 4, 2011. Photographer: David Paul Morris/Bloomberg *** Local Caption *** Tim Cook
Perhaps no security scandal was worse timed than the exposure of nude celebrity photos on Apple's iCloud, just ahead of the 2014 announcement of Apple Pay.

At the time, Apple's response was to blame the victims. In a statement on its website, Apple said: "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions ... None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone."

Apple's Smurfberry snafu

Before there was Apple Pay, Touch ID and FaceTime, there was Smurfs' Village, an iPhone game that became notorious for charging parents up to $99.99 per wagonful for Smurfberries without their explicit permission.

The problem was how Apple and Capcom, the game's publisher, handled authentication. After downloading the free-to-play game, neither company required further authentication to approve the purchase of Smurfberries for a limited period of time.

The incident led Apple to update its policies in 2011 to require additional authentication for in-app purchases; and eventually led to a settlement with the Federal Trade Commission in 2014 in which Apple agreed to refund $32 million to consumers for in-app purchases in several of its mobile games.