Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Pay Possible Secuirty Flaw.
- Thread starter Sheon
- Start date
- Sort by reaction score
Oh yea. That thing with slipping the fingers under the back of the watch was hilariously stupid. And your hypothesis might even be more absurd than the OP's. Please. Before this happens, they will just wait for you to go outside, pound you to the ground, or worse, and take your wallet with the cash.
Come to think of it, there is always the possibility that a nearby massive gamma ray emission that will fry the earth making all this worry about apple pay just seem trivial.
Nope. I've been wearing the watch for three weeks now. I'm sure no one could find a way to do it without my noticing unless I was roofied, and in that situation, it's not my Apple Pay that I'm worried about.
You are much more likely to get your pocket picked.
To "drain your bank account" the thief would have to be charging an amount of money very close to the amount in your account. I would imagine thieves would more that likely over charge as they're generally greedy people... 
This is all in addition to the thief having a battery powered apple pay system. (which doesn't exist), and having a merchant ID (as a thief that's difficult to disguise as a business), and have no prior victims notify their credit card company of fraudulent charges connected to said merchant ID, and the Apple Watch wearer would have to be oblivious to the hand on their watch, the double tap, the vibration of the watch, and the sound the machine makes.
I think this scenario is HIGHLY unlikely and as someone else said, they would rather go for your actual wallet.
This is all in addition to the thief having a battery powered apple pay system. (which doesn't exist), and having a merchant ID (as a thief that's difficult to disguise as a business), and have no prior victims notify their credit card company of fraudulent charges connected to said merchant ID, and the Apple Watch wearer would have to be oblivious to the hand on their watch, the double tap, the vibration of the watch, and the sound the machine makes.
I think this scenario is HIGHLY unlikely and as someone else said, they would rather go for your actual wallet.
To "drain your bank account" the thief would have to be charging an amount of money very close to the amount in your account. I would imagine thieves would more that likely over charge as they're generally greedy people...
This is all in addition to the thief having a battery powered apple pay system. (which doesn't exist), and having a merchant ID (as a thief that's difficult to disguise as a business), and have no prior victims notify their credit card company of fraudulent charges connected to said merchant ID, and the Apple Watch wearer would have to be oblivious to the hand on their watch, the double tap, the vibration of the watch, and the sound the machine makes.
I think this scenario is HIGHLY unlikely and as someone else said, they would rather go for your actual wallet.
When u explain it that way I understand and see now it has like next to zero chances
And yet, it happened.
http://ios.wonderhowto.com/how-to/a...ieves-use-apple-pay-without-your-pin-0161940/
http://www.theguardian.com/uk/2004/dec/19/ukcrime.prisonsandprobation
http://www.marieclaire.com/culture/news/a2269/hong-kong-date-rape-drug-rohypnol-men/
http://nymag.com/thecut/2014/10/what-you-might-not-know-about-getting-roofied.html
The fact that people are still getting roofied, and it's being used to commit crimes, and now the Watch can be easily removed and used in such a situation, makes this a vulnerability to be exploited. It doesn't mean there's a high likelihood it will happen, but it's definitely a concern. People who can afford the Watch would make good targets for thieves. Frankly, the fact the Watch can't be "bricked" if stolen makes it a pretty good target by itself, especially when it currently commands high prices being in high demand and short supply. But add to that being able to access the victims credit card and private information, makes it an even more desirable target. Then, before the victim wakes up from being drugged, the theif has already made off with a number of purchases, wiped the watch and sold it on the black market, all without the victim even knowing who did it to them.
The OP's scenario simply won't happen. Nobody can seriptitiously access your Pay account without your knowledge, unless you're incapacitated. And I've given one such scenario that is already actually happening out in the world for wallets and jewelry, never mind an Watch. And this isn't even addressing the far more common situation where someone passes out or falls asleep in a bar from drinking.
I guarantee in the near future we'll hear about someone's Watch being stolen and used in this manner. It's a lot neater and cleaner that beating somebody up, with less chane of getting caught, and right up the creepy tech criminals alley -- the same guy who's putting webcams in women's restrooms and selling the feed to porn sites. However, I suspect we'll hear about somebody getting mugged the old fashioned way, while walking home from a bar, more frequently.
Wow. You have it all figured out. I'm going to smash my watch and never leave my house. That way I'll always be safe. Oh wait. Home invasion will probably kill me. Think I'll keep the watch and go out and get drunk and see what happens.
This thread has clearly demonstrated that intelligence, common sense, and rationality has gone out the window for many people. You managed to let your insanity over this crazy possibility erase all the fraud that has occurred with credit cards. Yes, by all means, go back to your credit card and forget apple pay.
In scenarios like that, they could've just as easily remove your wallet whilst you're 'drunk, sleeping, or knocked unconscious' and use pay wave directly from your card and not have to bother slipping the finger underneath the watch. I still do not see apple watch provide any additional security vulnerabilities that wasn't already inherently there with contactless payment to begin with.
And what, you don't have a wallet unless you wear it where people can see it? Lol.
If wearing the watch makes you feel vulnerable to crime, then don't wear the watch. But the fact is that you are vulnerable to crime whether you wear the watch or not. Learn to be aware of your surroundings, and learn what precautions you can take not to be roofied (any woman can explain it to you, it's not that hard). Learn where to wear your wallet so that it's secure (hint: not your back pocket or your jacket pocket) and know your drink limit.
Wouldn't it be easier to just take the person's wallet, jewelry, phone, keys and car?
Right, but the difference here is, nobody knows how much you've got in your wallet, but as I posted elsewhere in these schemes where victims are slipped roofies, they are targeted for their apparent wealth, evidenced by their watches, among other things. The Watch suggests a certain level of wealth, and there's a flaw in the security that allows someone to target Watch owners and take advantage of it. I see contacless payment systems as fairly secure, particularly Pay. As long as no one can steal your payment device and easily access the payment authorization. This was true for the iPhone. Evidently not so true of the watch.
I've never had a virus on my computer, or an on-line account hacked. But if there were a security exploit announced tomorrow, Apple would work around the clock to push out an update to protect me from the unlikely event I were targeted in such an attack. The Watch is no different. Apple needs to address the ability to easily remove the watch without being re-authenticated, as well as the ability to remotely "brick" it. Should these be top priorities? Probably not, but the longer a vulnerability is exposed the more likely someone will come up with a way to exploit it.
Stealing an iPhone, doesn't get you much, except an iPhone to sell, which might get bricked if you try to use it in the country in which you stole it. Even if you happened upon the 4 digit unlock code within the 10 tries you had, it can be wiped as soon as the owner notices it's missing. Stealing the Watch now, can get you full access to the victims iPhone too, out of which a thief may get more than just credit card access. If you have some cash in your wallet, so much the better. Then it can all be shipped out of the country for top dollar. So it makes this kind of crime much more profitable than it previously was.
The only other way to achieve the same goal is to kidnap someone, and that escalates the crime considerably, as does armed robbery and assault, and has considerably more pitfalls. Much easier to do it quietly, and somewhat anonymously. But if Apple takes away the vaunerability, then away goes the opportunity.
1. You're saying that
Watch makes you more of a target because it's an indication of apparent wealth. I suppose Apple's hope is that it'll eventually become so popular and commonplace just like the iPhone where owning an iPhone now doesn't necessarily mean anything.2.
Watch as an indication of wealth is no different from how thieves target people who dress well or have expensive accessories, so I don't see that as an flaw in the watch's security itself.3. If I were a thief and I have now targeted someone who I deemed to be wealthy, whether it be the way they dress or because they have an
Watch, I would still find it much easier to steal their wallet regardless because:a) There's no guarantee that the person has
Pay activated on their watch, but for sure the wallet will have the money + card I want.b) I'm pretty sure I'll be hard-pressed not to notice someone trying to remove my watch while slipping a finger in between the watch and my wrist. It's way easier just to pick someone's pocket.
So yeah, at the end of the day, I'm not worried. If someone's gonna steal from me, I'm sure my wallet will still be the first thing to go. If someone does somehow manage to steal my watch and if they manage to do so without reactivating the security code, luckily we still have access to iCloud on our phone to quickly disable
Pay. That's a lot of ifs.
You seem especially afraid of getting roofied. As I posted up thread, it's not that hard to avoid. Keep track of your drink and your problem is solved. If you're really worried, order a beer in a bottle and hold it with your thumb in the top when you're not drinking.
This. So clearly this.
Anyone trying to make an argument that physically stealing your Watch in such a manner to render it still usable for Apple Pay being anywhere near the risk of someone just easily stealing your wallet or physical card is either entirely lacking common sense or trolling.
If Apple Pay as currently deployed has any crackable security hole, it is going to be at the 'bank/back office" level, not the "man-on-the-street" level.
Yes, the only conceivable situation in which someone could possibly use Apple Pay without your knowledge would involve you being unconscious in some way. If that's the case, they could just steal your wallet and use your real cards. And even if they do manage to make a charge on your card, it is a fraudulent charge and you are therefore not liable. The fact that you can remove a watch from someone's arm without it locking (which is true -- try it) doesn't really change the situation much.
Not sure I follow how stealing the watch gives someone full access to the victim's phone.
Not sure I follow how stealing the watch gives someone full access to the victim's phone.
An option for a variation of taps would work. If you are really paranoid you could have the option to add one more simple security measure before the app says "Ready..." at the top. Say, another double tap, or a single then another single.
This would potentially double the wear on the button though.
Or..
You have an option to customize the security tap for Apple Pay a "programming mode". Once you double tap initially, it's then waiting for the correct sequence of events before Apple Pay is ready. For example: Double tap (as we do now), spin the crown clock-wise at least half way around, then push it. Only for those that: drink a LOT, are paranoid or they frequent sketchy areas.
You get the idea.
Done deal. Secured.
This would potentially double the wear on the button though.
Or..
You have an option to customize the security tap for Apple Pay a "programming mode". Once you double tap initially, it's then waiting for the correct sequence of events before Apple Pay is ready. For example: Double tap (as we do now), spin the crown clock-wise at least half way around, then push it. Only for those that: drink a LOT, are paranoid or they frequent sketchy areas.
You get the idea.
Done deal. Secured.
Last edited:
Since the watch doesn't re-lock when transferring to someone else this way, anything that's accessible on the watch from the phone would be available with the victims IPhone, which will also be stolen. If you keep sensitive information in your contacts, for instance, there might be enough there to steal someone's identity. Before the watch, the phone would be locked, and easily bricked if stolen, making it a much less desirable item to steal on its own.
This really isn't about liability per se, as more of an exercise in exploiting an Apple security hole. The idea of a gang of thieves who drug unsuspecting Watch users and commit credit card fraud is one such realistic example, given that such thieves have operated this way in the past, and it's a very old con -- just look up Mickey Finn. That said, I'm not trying to instill panic, just explore a hypothetical. I certainly don't think this could likely happen to me or many others on this forum. But, to the extent it concerns Apple, it would be less about card liability for the victim, and more about Apple not wanting Watch wearers target for crime, which is the reason lawmakers have passed legislation to require phones to be "bricked".
However, to address your question here's the hypothetical I'm basing this scenario on -- it's 2016 and contact-less pay terminals are everywhere and they all accept Pay. People have slimmed down their wallets to just whatever cards and IDs that can't be accommodated by the watch, namely a driver's license, and perhaps a little cash. I know once Pay is accepted everywhere I won't be carrying a credit card anymore. At the present, I only carry one, but I have others I don't carry -- all of which are tied to Pay. I never carry cash. So let's say it's a typical mugging, the guy takes my watch, iPhone and wallet, which gives him two useless pieces of electronics, and a driver's license (though the watch can probably still be sold easily on the black market). But is that really enough to warrant assault with a deadly weapon charge if caught?
Now enter the smart criminal, who drugs his victim anonymously, robs them of an unlocked Watch, iPhone and any other valuables they may have, assuming no credit cards in the wallet. But even if there is a credit card in the wallet: we don't know how Pay will work with ATMs, but if a pin is no longer required, then there's a quick source of cash that wasn't available before. Also, some clerks might ask for an ID when using a physical card, but with Pay there's no questions asked. Also, a drugged victim can't log into iCloud and cancel Pay until they wake up. So many reasons to do it this way versus just pick-pocketing a wallet which is likely to be empty anyway in this hypothetical.
LOL. You're really reaching. Who keeps social security numbers in their contacts?
Yep, that's why it's called "slipping a Mickey." Again, it's not hard to avoid. Seriously, you act like women haven't been avoiding rape that way for decades.
This is a LOT of assumptions, many of which I'm not convinced are correct. I highly doubt Apple Pay will be ubiquitous in 2016, or that you'll ever be able to access an ATM without some other form of ID (maybe it'll be fingerprints or retina scans rather than PIN, but it will be something). But again, just don't let anyone slip you a mickey.
I'm all for being cautions, and I think Apple needs to keep all of the possible scenarios in mind, since criminals can be quite innovative. But I see nothing about using Apple Pay via the watch that seems more risky than using other sorts of payments (just the opposite, in the vast majority of situations). Bottom line is, drink responsibly and keep your wits about you and you should be fine. You know -- the same advice that would apply whether you have an Apple Watch or a wallet full of cash & credit cards.
