A decade ago, a group of Johns Hopkins University grad students tried to hack one of the first commercially popular Near Field Communication payment systems – the kind of technology at the heart of Apple’s new mobile payment system. It took a few thousand dollars in gear and a few months of work. But the system, ExxonMobil's Speedpass, was entirely hackable.
十年之前,一群约翰•霍普金斯大学的研究生就已经在尝试攻击在商业领域处于比较流行的近距离无线通讯技术(NFC)为基础的支付系统——这项技术就是苹果最新的移动支付系统的核心所在。这群研究生花费了几千美元制作了一个小装置,并经过几个月的努力,最终使埃克森美孚公司的电子收费系统,被攻击得体无完肤。
The key was reverse engineering the computer chip that broadcast the payment information for Speedpass. With hacking gear loaded into the back seat of an SUV, the students were able to spoof the Speedpass key fob.
这次攻击之所以能够成功的关键之处在于使用了逆向工程(又称逆向技术,是一种产品设计技术再现过程,即对一项目标产品进行逆向分析及研究,从而演绎并得出该产品的处理流程、组织结构、功能特性及技术规格等设计要素,以制作出功能相近,但又不完全一样的产品。),使得计算机芯片中关于电子收费系统的支付信息流出。通过可以放置在越野车后座上的这种装置,这群研究生可以不费吹灰之力地恶搞埃克森美孚公司的电子支付密钥卡。
―We could then just go out and buy things in your name,‖ recalled Matthew Green, now a research professor at Johns Hopkins’ who specializes in cryptography. ―It was a fun project.‖
―我们可以出去用你们的名义买各种东西。‖现任约翰•霍普金斯大学专门从事密码学的研究教授Matthew Green回想起当初的经历,―那真是个非常有趣的实验。‖
That may sound like a cautionary tale about the security of Apple Pay, which the company announced to fanfare on Tuesday as an efficient, secure new way to pay for a wide range of goods. But in fact, experts are excited about Apple Pay, arguing that it may herald a new era in transaction security and help end the rash of data breaches that have hit major retailers in recent years.
对于苹果支付技术的安全性而言,这听起来就像一个警示。在星期二的苹果发布会上,苹果公司宣称,全新、高效而又安全的支付手段——Apple支付可以购买绝大部分商品。专家们对于这项技术激动地赞不绝口,谈论着这项技术是将安全交易带入了一个新的时代,并可以终结数据泄漏,这―老大难‖的问题,让最近几年遭受打击的绝大部分零售商看到了一丝曙光。
Why? 那其中的原因是什么呢?
For starters, there are crucial differences between a Speedpass key fob and the iPhone that will be at the heart of Apple Pay. A key fob is dumb; it can transmit information but can’t do much else. An iPhone is smart; it can transmit information but also ask its user questions, such as: Do you really want to buy $75 worth of gas? To complete the transaction, the owner of the iPhone will have to confirm payment by placing a finger on the iPhone’s fingerprint reader, which comes standard on the iPhone 5S, as well the new iPhone 6 and iPhone 6 Plus.
首先,决定性的差距就在电子收费密钥卡与苹果支付的依托工具-----iPhone之间。密钥
卡是不会说话的,它除了传递着信息之外,没有丝毫其他的用处,但是一台iPhone是非常智能的。它不仅仅能传递信息还能够对使用者的行为进行再一次确认,比如:你真的打算买价值75美元的汽油吗? iPhone的主人还要通过将手指放在Home键上完成指纹认证,才能完成本次交易。这项指纹识别技术从5S上就已经开始使用了,在最新的iPhone6和iPhone6 Plus上也同样适用。
This two-step process, experts say, could mark a major step forward in security of billions of dollars of transactions every day, particularly in the United States where antiquated credit card technology – long replaced in much of the world – is still the norm. This offers criminals mass hacking opportunities, as Target, Neiman Marcus, Home Depot and their customers have learned to their great dismay.
专家们认为,这两步走的程序,为涉及巨额资金的交易提供了足够的安全保障,因此,这项技术是交易领域长足的进步。尤其对于美国而言,过时的信用卡技术在世界上正在逐渐被取代,这是个漫长的过程,所以,信用卡技术依旧还是目前常见的、规范性的交易手段。这给犯罪分子提供了大量可以用计算机进行黑客攻击的机会,作为已被黑客攻击过的倒霉鬼,尼曼,家得宝等大牌公司还有他们的消费者们都深受其害。
But more secure – even much more secure – is not the same as totally secure. Again, Apple offers a useful example. Security experts say iPhones are, in general, more secure than Android phones from viruses, hacks and government surveillance. But that superior security didn’t stop some sleazy, tenacious criminals from finding a way to steal intimate pictures from dozens of Hollywood celebrities and post them online.
但是,更安全,甚至是更加更加安全都不能等同于绝对安全。苹果最近就再一次成为了―反面教材‖。虽然安全学专家声称,从病毒、黑客攻击、政府管制等各个角度来说,苹果系统大体上是比安卓系统安全性更强的。但超强的安全系统依旧没能挡住一些庸俗而又顽强的犯罪分子,他们找到了某种方法窃取了十多位好莱坞明星的私密照并将其放到了网站上。(这就是最近闹得沸沸扬扬的―好莱坞艳照门事件‖。)
The weak point in Apple’s photo security, several experts have concluded, was not the iPhones used for taking many of the pictures; instead it was Apple’s iCloud service, which is both newer and, less secure than the iPhone itself.
对于苹果照片安全性不足的弱点,各位专家已经得出结论,问题不在于iPhone本身拍摄照片的原因,而是因为苹果云服务,它比苹果机子年轻许多,因而更比机子本身缺少了一些安全性。
So what is the weak point in Apple Pay? Again, the iPhone itself has a strong set of security systems. The same may not be true of your thumb. People leave fingerprints everywhere, especially on the glass surfaces of their smartphones. Could somebody steal your thumb print and verify a purchase on Apple Pay without the actual iPhone’s owner knowing?
那么,Apple支付的软肋又在哪里?苹果机子本身拥有一套行之有效的安全系统装置。但你的指纹是可以造假的。人们总会不经意间在四处留下自己的指纹,尤其在他们智能手机的玻璃表面。有人能够偷取你的指纹,并在你毫不知情的情况下,使用你的手机验证并购买商品吗?(我们不得而知。)
因篇幅问题不能全部显示,请点此查看更多更全内容