Here's How Researchers Stole $10,000 From MKBHD's Locked iPhone

[MacRumors]

An iPhone exploit that involves a linked Visa card can allow attackers to steal money from a locked device using NFC, but the process is complex, requiring physical access and specialized hardware. The exploit was highlighted by popular YouTube channel Veritasium, and it involves tricking an iPhone into thinking it's making a payment at a mass transit terminal, a process that can be completed from a locked iPhone.

Cybersecurity researchers from the University of Surrey and the University of Birmingham developed the attack to bypass an iPhone's locked status and steal funds from a mobile wallet. The exploit was first publicized in 2021, and it bypasses traditional limits on transaction size. Veritasium demonstrated the attack by collecting $10,000 from YouTuber Marques Brownlee's locked iPhone.

The attack works using an NFC card reader that intercepts the communication between an iPhone and a tap-to-pay terminal when a payment is made. The card reader is connected to a laptop that collects payment data and sends it to a separate burner phone, which is then tapped on a legitimate card reader. The NFC device has to be tuned to the same transit terminal identifier as a legitimate transit reader.

The process requires the victim to have Express Transit Mode enabled for payments, and a Visa card linked for those payments, among other steps. As it turns out, it's a Visa-related security loophole rather than an iPhone issue, and it doesn't work with a Mastercard or an American Express card because other cards use different security methods. It also doesn't work with Samsung Pay on Samsung devices, and it requires the specific combination of a Visa card and an iPhone. Apple told Veritasium that it's an issue with the Visa system, but something unlikely to occur in the real world.

This is a concern with the Visa system, but Visa does not believe this kind of fraud is likely to take place in the real world. Visa has made it clear that their cardholders are protected by Visa's zero liability policy.

Visa also told Veritasium that the exploit was very unlikely from a scaled real world setting, and any such transactions can be disputed. The researchers who shared the exploit said users can protect themselves by not using a Visa card on the iPhone for transit purposes.

Article Link: Here's How Researchers Stole $10,000 From MKBHD's Locked iPhone

 

[BeatsByTim]

They should steal his ability to drive and make YouTube videos next.

 

[Circa1984]

We’re all fxck’d!

 

[ghanwani]

Veritasium demonstrated the attack by collecting $10,000 from YouTuber Marques Brownlee's locked iPhone.

Did they return the money?

Edit: If they didn't return it, they are required to report it to the IRS and pay tax.

https://www.irs.gov/publications/p17

 

[BeatsByTim]

We’re all fxck’d!

Whoa! Buddy! Come on down off that ledge... I mean... yes. But not because of this.

 

[BB714]

Here comes every news outlet with a sensationalized headline soon !

 

[BeatsByTim]

Did they return the money?

No. He's broke and living on the street now.

 

[MRSugarD]

Ok wow, so how is he going to pay his tickets for speeding in a school zone now?

 

[Apple_Robert]

This is a non-issue in a typical real world setting.

 

[kotaKat]

Ah, and of course it's Visa specifically here.

I remember all the ahem misadventures with Visa-MSD over contactless... le sigh. "Let's just send magstrip data over NFC in the clear!"

 

[Ursadorable]

What's MKBHD?

 

[TeamGibbsv2]

Soooo this is clickbait? Based on the level of expertise, software, hardware and circumstances required this is non-issue that's probably already been patched up?

 

[Unregistered 4U]

Wait, you meant to tell me that if I coordinate with a malicious party and ensure my phone is configured exactly as they want it to be, that malicious party can do the thing me and that malicious party were coordinating to do?

-Shocked-

 

[Unregistered 4U]

Soooo this is clickbait? Based on the level of expertise, software, hardware and circumstances required this is non-issue that's probably already been patched up?

Pretty much.

 

[gaggle]

Security through obscurity is not useful, so it’s fine to share to let it gain attention. Even if it is relaxing to the common person that this isn’t an attack likely to happen to you.

It’s clearly a fixable oversight that it’s possible to authorize any amount via automated transit payment, to bad it’s already gone for half a decade without much attention from the sound of it.

 

[HouseLannister]

What's MKBHD?

Marques Keith Brownlee High Definition

That’s literally the nickname this YouTuber gave himself. I’ve heard worse… but not many.

 

[BabyBoii]

steal the source code of that wallpaper app next

 

[Ben11]

Omg!!!!!!! Tim do something!

 

[BeatsByTim]

Soooo this is clickbait?

It's all clickbait, my friend. Needless to say, I'm not giving into it and actually reading the article.

 

[BeatsByTim]

steal the source code of that wallpaper app next

I know you're trying to be funny, but https://github.com/panels-art/WallApp if you really want it.

 

[BeatsByTim]

What's MKBHD?

A video editor who plays a tech journalist.

 

[HouseLannister]

It's all clickbait, my friend.

Tomorrow’s headline: 10 Reasons MKHBD is getting the iPhone Fold

 

[now i see it]

It was just a very convoluted proof of concept. Nobody lost any money.

 

[crococarbs]

Is "Express Transit" mode a US thing only? Also, is it enabled by default??? I don't have that as an option in Australia (iPhone 13 pro), but if I had it I would not turn it on. To pay here on public transport or anywhere really, it's easy enough to double-click on the side button to bring up the wallet. If you don't double-click on the side button, no payment can go through. I was wrong about this.

 

[ikramerica]

Change the headline. They stole $10,000 from VISA using a man in the middle and a spoof.

And of course it’s on VISA to explain why there is no limit on a transit transaction. Those $10k subway rides really add up.