I Broke All of Bank of America's Card Terminals With Apple Pay

Inframan · Dec 18, 2014

So this was to say none the least of an awkward moment for me yesterday. I was in the Bank of America Branch in North Hollywood yesterday (Might I add it was packed with people) and I walked up to the window to make a deposit and instead of sliding my card to verify my identity I thought I would try using my 6 Plus to see if it would use my thumb print to verify it instead of using my physical card.

I placed my phone near the terminal. my Bank of America card showed up, I placed my thumb on the the sensor and it all appeared to work fine and it even said "Done" - Both me and the lady were impressed that I could verify myself without using my card!

And then it happened, None of the 10 plus terminals would allow anyone to use their debit card to verify their identity. Mine also did not work. The entire bank came to a halt. I was crapping myself that I was about to get into some deep trouble here.

Basically they had to restart all their computers, restart all the terminals and then finally they all worked again.

So needless to say, there is a major bug that Apple and Bank of America needs to work out here. On another note it would be nice if they enabled this feature and it actually worked!

JulesJam · Dec 18, 2014

Inframan said:
I was crapping myself that I was about to get into some deep trouble here.

How could you possible get in trouble for this? Clearly a bug in their system. Not your fault.

Mlrollin91 · Dec 18, 2014

Inframan said:
So needless to say, there is a major bug that Apple and Bank of America needs to work out here. On another note it would be nice if they enabled this feature and it actually worked!

I don't think that its a bug, the computer system just didn't know how to respond. When you swipe your card at the bank, its your debit card and it still requires the pin in order for them to access your account. Well there is no way to enter the pin into ApplePay, therefore the system didn't know how to react.

Yes you can use debit cards with ApplePay but you are paying via 'credit' or you still have to input your pin on the terminal if you pay via 'debit'.

So, IMO its not a bug with Apple and not really with BofA. The system just didn't know what you were trying to do.

bradl · Dec 18, 2014

The issue now is this: can this be reproduced?

Could the OP try this elsewhere? For example, at the BofA at the Grove? Van Nuys? the branch by Santa Monica Pier? If this can be reproduced at any other bank, then this is definitely a problem. Restarting everything is a quick bandaid, but isn't the solution.

The next question after that: what could be done while all terminals are down? In short, You've discovered the bug; what could be exploited while the bug is used? I ask not to be malicious, but because depending on what could be exploited determines the severity of the bug. Since this is pertaining to PCI data, once a critical bug and patch for it has been created, there is a certain finite window of time that the patch must be implemented (IIRC, the PCI/DSS spec recommends within 30 days unless specified by the client).

For the moment, what you've found could be considered a major Denial of Service. BofA needs to get on the ball for this.

Also, to make sure this isn't an Apple Pay bug, someone needs to try this at any other bank that currently supports Apple Pay.

BL.

markyr17 · Dec 18, 2014

Mlrollin91 said:
I don't think that its a bug, the computer system just didn't know how to respond. When you swipe your card at the bank, its your debit card and it still requires the pin in order for them to access your account. Well there is no way to enter the pin into ApplePay, therefore the system didn't know how to react.

Yes you can use debit cards with ApplePay but you are paying via 'credit' or you still have to input your pin on the terminal if you pay via 'debit'.

So, IMO its not a bug with Apple and not really with BofA. The system just didn't know what you were trying to do.

Soooooo.... It's a bug that needs to be fixed. A bug is something that stops a system from working properly.

Mlrollin91 · Dec 18, 2014

markyr17 said:
Soooooo.... It's a bug that needs to be fixed. A bug is something that stops a system from working properly.

Not if the system isn't meant to do that task in the first place. That's not a bug. That's a consequence for running a task that something isn't designed to do. A bug is something that prohibits an operation that is meant to take place.

markyr17 · Dec 18, 2014

Mlrollin91 said:
Not if the system isn't meant to do that task in the first place. That's not a bug. That's a consequence for running a task that something isn't designed to do. A bug is something that prohibits an operation that is meant to take place.

So it's not a bug that I can go into a bank of america with my phone and effectively break their whole ATM system? .....

lordofthereef · Dec 18, 2014

Mlrollin91 said:
I don't think that its a bug, the computer system just didn't know how to respond. When you swipe your card at the bank, its your debit card and it still requires the pin in order for them to access your account. Well there is no way to enter the pin into ApplePay, therefore the system didn't know how to react.

Certainly something strange went on here, but I have had terminals at the grocery store ask me for my PIN when using Apple Pay. I have no idea what happened here, but asking for a pin is certainly still possible.

For all we know this may have been some hickup in their system that coincidentally happened at the right moment in time and is completely unrelated to Apple Pay. I can't imagine the OP is the first one to have ever tried this at the thousands of BofA branches that exist.

bradl · Dec 18, 2014

lordofthereef said:
Certainly something strange went on here, but I have had terminals at the grocery store ask me for my PIN when using Apple Pay. I have no idea what happened here, but asking for a pin is certainly still possible.

For all we know this may have been some hickup in their system that coincidentally happened at the right moment in time and is completely unrelated to Apple Pay. I can't imagine the OP is the first one to have ever tried this at the thousands of BofA branches that exist.

Hence why I was asking if this can be reproduced. This needs to be validated at another BofA location. If the same thing happens there (the systems should be the same across the board), then what you have is a tool that creates a denial of service to other customers/users of those systems.

So before anyone calls this a 'bug' we need to find out if this can be reproduced, the powers-that-be need to be notified of it, and if the same thing would occur at other banks that support Apple Pay.

If it doesn't happen at any of the other banks, then it definitely is a BofA problem. If it happens at other banks, then we are looking at a bank and Apple Pay problem.

BL.

lordofthereef · Dec 18, 2014

bradl said:
Hence why I was asking if this can be reproduced.

Thanks. I read that post. But that's why I wasn't responding to it. It's on point.

JulesJam · Dec 18, 2014

lordofthereef said:
For all we know this may have been some hickup in their system that coincidentally happened at the right moment in time and is completely unrelated to Apple Pay.

Bingo!!!! We have a winner!!!

Temporal Correlation vs. Causation.

----------

bradl said:
The issue now is this: can this be reproduced?

You win too!

The Doctor11 · Dec 18, 2014

JulesJam said:
How could you possible get in trouble for this? Clearly a bug in their system. Not your fault.

They may not know that. They might blame you for doing something your not suppose to or something stupid like that

JulesJam · Dec 18, 2014

The Doctor11 said:
They may not know that. They might blame you for doing something your not suppose to or something stupid like that

And what "trouble" would they be able to get you in? Call the cops? For what, what crime would they be reporting? Sue you civilly? Under what cause of action?

Seriously, you have to have done something WRONG for you to get in trouble. What did the OP do wrong? What would they blame him for?

JayLenochiniMac · Dec 18, 2014

That's hilarious. Don't worry about it though. This happens all the time with power outages too.

bradl · Dec 18, 2014

JulesJam said:
And what "trouble" would they be able to get you in? Call the cops? For what, what crime would they be reporting? Sue you civilly? Under what cause of action?

Seriously, you have to have done something WRONG for you to get in trouble. What did the OP do wrong? What would they blame him for?

Exactly. For all intents and purposes, this could be a valid test/use case for Apple Pay. Albeit at a BofA branch, it still is a terminal; also, when Cook announced Apple Pay and which banks supported it, they didn't explicitly say how it was supported. We all have the (correct) assumption that it would be directly to our bank accounts; the funds come out of the consumer's account, through the bank, to the merchant. There wasn't an exception or exclusion for if the merchant and the bank were the same entity.

In fact, I don't think any bank supporting Apple Pay has taken that into consideration..

BL.

Inframan · Dec 19, 2014

Hey guys, I'm sitting outside in my car right now outside of another Bank Of America and the same thing happened, this one is in studio city. Just wanted to update you guys.

JayLenochiniMac · Dec 19, 2014

Inframan said:
Hey guys, I'm sitting outside in my car right now outside of another Bank Of America and the same thing happened, this one is in studio city. Just wanted to update you guys.

So you actually tried to reproduce the issue as a couple of members suggested to determine cause and effect? Wow.

bradl · Dec 19, 2014

JayLenochiniMac said:
So you actually tried to reproduce the issue as a couple of members suggested to determine cause and effect? Wow.

I would say that this is a good thing. My suggestion was not intended to be malicious; if a bug/problem can be reproduced, then those that can actually fix it have a way to not only trigger the problem, but look at and debug their systems to see exactly what is happening while the problem occurs. From there, they code the fix and get it out.

Who knows? This could actually be a problem with the terminals being used. So this could go all the way back to being a firmware problem on the terminal. If so, then every bank or merchant using that terminal may be impacted. So this could potentially be a bigger issue than realized.

To be honest, the OP needs to get hold of as many BofA managers as he can, and not only tell them of the problem, but show them. When it comes to PCI and PII data, having that data protected is the most paramount thing, especially against any exploit that could use this maliciously.

BL.

JayLenochiniMac · Dec 19, 2014

bradl said:
I would say that this is a good thing. My suggestion was not intended to be malicious; if a bug/problem can be reproduced, then those that can actually fix it have a way to not only trigger the problem, but look at and debug their systems to see exactly what is happening while the problem occurs. From there, they code the fix and get it out.

Who knows? This could actually be a problem with the terminals being used. So this could go all the way back to being a firmware problem on the terminal. If so, then every bank or merchant using that terminal may be impacted. So this could potentially be a bigger issue than realized.

To be honest, the OP needs to get hold of as many BofA managers as he can, and not only tell them of the problem, but show them. When it comes to PCI and PII data, having that data protected is the most paramount thing, especially against any exploit that could use this maliciously.

BL.

You're exaggerating the problem. Not too many people are going to attempt to authorize with TouchID foolishly thinking it'd work at a branch and the OP didn't have to go out of his way to shut down an entire bank to test some members' theory.

JulesJam · Dec 19, 2014

Inframan said:
Hey guys, I'm sitting outside in my car right now outside of another Bank Of America and the same thing happened, this one is in studio city. Just wanted to update you guys.

Well now for sure you are going to get in trouble because you did it intentionally!!! LOL!

Seriously, if you want it fixed, I would just report it to BAC and Apple and then leave it up to them to fix it. Until then, don't do it again.

----------

JayLenochiniMac said:
You're exaggerating the problem. Not too many people are going to attempt to authorize with TouchID foolishly thinking it'd work at a branch and the OP didn't have to go out of his way to shut down an entire bank to test some members' theory.

Meh. There is a serious problem with their system and they need to fix it. He actually did them a favor.

JayLenochiniMac · Dec 19, 2014

JulesJam said:
Meh. There is a serious problem with their system and they need to fix it. He actually did them a favor.

A "serious" problem because someone foolishly attempted to use Apple Pay at a bank branch as unadvertised? Surely you're exaggerating big time

bradl · Dec 19, 2014

JulesJam said:
Seriously, if you want it fixed, I would just report it to BAC and Apple and then leave it up to them to fix it. Until then, don't do it again.

Exactly. This is how bugs get fixed, especially in the Software Design Life Cycle:

Report the bug.
Allow the Quality Assurance group to try to reproduce it. Send the bug and data during reproduction of the bug to developers.
Developers code a fix for the bug.
Q/A tests/verifies that the bug fixes the problem.
fix goes out in the next release of the application running the terminals.

JulesJam said:
JayLenochiniMac said:

You're exaggerating the problem. Not too many people are going to attempt to authorize with TouchID foolishly thinking it'd work at a branch and the OP didn't have to go out of his way to shut down an entire bank to test some members' theory.

Click to expand...

Meh. There is a serious problem with their system and they need to fix it. He actually did them a favor.

This, and then some. You don't brush something like this under the rug just to save other people's use of the terminals. That leaves the vulnerability/problem there for someone to maliciously exploit. Better to have that reported and fixed, with an announcement disclosing the problem and that the fix is already in use, than to keep hush on it and have someone use the bug to not only effectively shut other customers out from their accounts, but compromise a bank's security.

BL.

JayLenochiniMac · Dec 19, 2014

bradl said:
This, and then some. You don't brush something like this under the rug just to save other people's use of the terminals. That leaves the vulnerability/problem there for someone to maliciously exploit. Better to have that reported and fixed, with an announcement disclosing the problem and that the fix is already in use, than to keep hush on it and have someone use the bug to not only effectively shut other customers out from their accounts, but compromise a bank's security.

Not disputing the above, but OP can simply report it and not go out of his way to "test" the system to reproduce the problem. You've contradicted yourself in the post above, agreeing with another member that the OP is better off reporting it and not doing it again then saying the opposite in seeing nothing wrong with his reproducing the issue.

goobot · Dec 19, 2014

Has anyone tried it at another type of bank other than BofA?

bradl · Dec 19, 2014

JayLenochiniMac said:
Not disputing the above, but OP can simply report it and not go out of his way to "test" the system to reproduce the problem. You've contradicted yourself in the post above, agreeing with another member that the OP is better off reporting it and not doing it again then saying the opposite in seeing nothing wrong with his reproducing the issue.

Not exactly. to put it short, the OP actually did the QA person's job, by showing and proving to the bank/managers at the bank that it is reproducible. that actually helps them instead of inhibits them. No contradiction there at all.

Again, if the intent of the reproduction is not malicious, there is no problem in reproducing it for the managers to see.

BL.

I Broke All of Bank of America's Card Terminals With Apple Pay

macrumors 6502

Suspended

macrumors G5

macrumors 603

macrumors 65816

macrumors G5

macrumors 65816

macrumors G5

macrumors 603

macrumors G5

Suspended

macrumors 603

Suspended

macrumors G5

macrumors 603

macrumors 6502

macrumors G5

macrumors 603

macrumors G5

Suspended

macrumors G5

macrumors 603

macrumors G5

macrumors 603

macrumors 603

Our Staff