I Broke All of Bank of America's Card Terminals With Apple Pay

Discussion in 'iPhone' started by Inframan, Dec 18, 2014.

  1. Inframan macrumors 6502

    Inframan

    Joined:
    Jan 18, 2013
    Location:
    Los Angeles, California
    #1
    So this was to say none the least of an awkward moment for me yesterday. I was in the Bank of America Branch in North Hollywood yesterday (Might I add it was packed with people) and I walked up to the window to make a deposit and instead of sliding my card to verify my identity I thought I would try using my 6 Plus to see if it would use my thumb print to verify it instead of using my physical card.

    I placed my phone near the terminal. my Bank of America card showed up, I placed my thumb on the the sensor and it all appeared to work fine and it even said "Done" - Both me and the lady were impressed that I could verify myself without using my card!

    And then it happened, None of the 10 plus terminals would allow anyone to use their debit card to verify their identity. Mine also did not work. The entire bank came to a halt. I was crapping myself that I was about to get into some deep trouble here.

    Basically they had to restart all their computers, restart all the terminals and then finally they all worked again.

    So needless to say, there is a major bug that Apple and Bank of America needs to work out here. On another note it would be nice if they enabled this feature and it actually worked!
     
  2. JulesJam macrumors 68020

    JulesJam

    Joined:
    Sep 20, 2014
    #2
    How could you possible get in trouble for this? Clearly a bug in their system. Not your fault.
     
  3. Mlrollin91 macrumors G4

    Mlrollin91

    Joined:
    Nov 20, 2008
    Location:
    Ventura County
    #3
    I don't think that its a bug, the computer system just didn't know how to respond. When you swipe your card at the bank, its your debit card and it still requires the pin in order for them to access your account. Well there is no way to enter the pin into ApplePay, therefore the system didn't know how to react.

    Yes you can use debit cards with ApplePay but you are paying via 'credit' or you still have to input your pin on the terminal if you pay via 'debit'.

    So, IMO its not a bug with Apple and not really with BofA. The system just didn't know what you were trying to do.
     
  4. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #4
    The issue now is this: can this be reproduced?

    Could the OP try this elsewhere? For example, at the BofA at the Grove? Van Nuys? the branch by Santa Monica Pier? If this can be reproduced at any other bank, then this is definitely a problem. Restarting everything is a quick bandaid, but isn't the solution.

    The next question after that: what could be done while all terminals are down? In short, You've discovered the bug; what could be exploited while the bug is used? I ask not to be malicious, but because depending on what could be exploited determines the severity of the bug. Since this is pertaining to PCI data, once a critical bug and patch for it has been created, there is a certain finite window of time that the patch must be implemented (IIRC, the PCI/DSS spec recommends within 30 days unless specified by the client).

    For the moment, what you've found could be considered a major Denial of Service. BofA needs to get on the ball for this.

    Also, to make sure this isn't an Apple Pay bug, someone needs to try this at any other bank that currently supports Apple Pay.

    BL.
     
  5. markyr17 macrumors 65816

    markyr17

    Joined:
    Apr 8, 2010
    #5
    Soooooo.... It's a bug that needs to be fixed. A bug is something that stops a system from working properly.
     
  6. Mlrollin91 macrumors G4

    Mlrollin91

    Joined:
    Nov 20, 2008
    Location:
    Ventura County
    #6
    Not if the system isn't meant to do that task in the first place. That's not a bug. That's a consequence for running a task that something isn't designed to do. A bug is something that prohibits an operation that is meant to take place.
     
  7. markyr17 macrumors 65816

    markyr17

    Joined:
    Apr 8, 2010
    #7
    So it's not a bug that I can go into a bank of america with my phone and effectively break their whole ATM system? ..... :rolleyes::rolleyes:
     
  8. lordofthereef macrumors G4

    lordofthereef

    Joined:
    Nov 29, 2011
    Location:
    Boston, MA
    #8
    Certainly something strange went on here, but I have had terminals at the grocery store ask me for my PIN when using Apple Pay. I have no idea what happened here, but asking for a pin is certainly still possible.

    For all we know this may have been some hickup in their system that coincidentally happened at the right moment in time and is completely unrelated to Apple Pay. I can't imagine the OP is the first one to have ever tried this at the thousands of BofA branches that exist.
     
  9. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #9
    Hence why I was asking if this can be reproduced. This needs to be validated at another BofA location. If the same thing happens there (the systems should be the same across the board), then what you have is a tool that creates a denial of service to other customers/users of those systems.

    So before anyone calls this a 'bug' we need to find out if this can be reproduced, the powers-that-be need to be notified of it, and if the same thing would occur at other banks that support Apple Pay.

    If it doesn't happen at any of the other banks, then it definitely is a BofA problem. If it happens at other banks, then we are looking at a bank and Apple Pay problem.

    BL.
     
  10. lordofthereef macrumors G4

    lordofthereef

    Joined:
    Nov 29, 2011
    Location:
    Boston, MA
    #10
    Thanks. I read that post. But that's why I wasn't responding to it. It's on point. :)
     
  11. JulesJam macrumors 68020

    JulesJam

    Joined:
    Sep 20, 2014
    #11
    Bingo!!!! We have a winner!!!

    Temporal Correlation vs. Causation.

    ----------

    You win too!
     
  12. The Doctor11 macrumors 603

    The Doctor11

    Joined:
    Dec 15, 2013
    Location:
    New York
    #12
    They may not know that. They might blame you for doing something your not suppose to or something stupid like that
     
  13. JulesJam macrumors 68020

    JulesJam

    Joined:
    Sep 20, 2014
    #13
    And what "trouble" would they be able to get you in? Call the cops? For what, what crime would they be reporting? Sue you civilly? Under what cause of action?

    Seriously, you have to have done something WRONG for you to get in trouble. What did the OP do wrong? What would they blame him for?
     
  14. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #14
    That's hilarious. Don't worry about it though. This happens all the time with power outages too.
     
  15. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #15
    Exactly. For all intents and purposes, this could be a valid test/use case for Apple Pay. Albeit at a BofA branch, it still is a terminal; also, when Cook announced Apple Pay and which banks supported it, they didn't explicitly say how it was supported. We all have the (correct) assumption that it would be directly to our bank accounts; the funds come out of the consumer's account, through the bank, to the merchant. There wasn't an exception or exclusion for if the merchant and the bank were the same entity.

    In fact, I don't think any bank supporting Apple Pay has taken that into consideration..

    BL.
     
  16. Inframan thread starter macrumors 6502

    Inframan

    Joined:
    Jan 18, 2013
    Location:
    Los Angeles, California
    #16
    Hey guys, I'm sitting outside in my car right now outside of another Bank Of America and the same thing happened, this one is in studio city. Just wanted to update you guys.
     
  17. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #17
    So you actually tried to reproduce the issue as a couple of members suggested to determine cause and effect? Wow.
     
  18. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #18
    I would say that this is a good thing. My suggestion was not intended to be malicious; if a bug/problem can be reproduced, then those that can actually fix it have a way to not only trigger the problem, but look at and debug their systems to see exactly what is happening while the problem occurs. From there, they code the fix and get it out.

    Who knows? This could actually be a problem with the terminals being used. So this could go all the way back to being a firmware problem on the terminal. If so, then every bank or merchant using that terminal may be impacted. So this could potentially be a bigger issue than realized.

    To be honest, the OP needs to get hold of as many BofA managers as he can, and not only tell them of the problem, but show them. When it comes to PCI and PII data, having that data protected is the most paramount thing, especially against any exploit that could use this maliciously.

    BL.
     
  19. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #19
    You're exaggerating the problem. Not too many people are going to attempt to authorize with TouchID foolishly thinking it'd work at a branch and the OP didn't have to go out of his way to shut down an entire bank to test some members' theory.
     
  20. JulesJam macrumors 68020

    JulesJam

    Joined:
    Sep 20, 2014
    #20
    Well now for sure you are going to get in trouble because you did it intentionally!!! LOL!

    Seriously, if you want it fixed, I would just report it to BAC and Apple and then leave it up to them to fix it. Until then, don't do it again.

    ----------

    Meh. There is a serious problem with their system and they need to fix it. He actually did them a favor.
     
  21. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #21
    A "serious" problem because someone foolishly attempted to use Apple Pay at a bank branch as unadvertised? Surely you're exaggerating big time :rolleyes:
     
  22. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #22
    Exactly. This is how bugs get fixed, especially in the Software Design Life Cycle:
    • Report the bug.
    • Allow the Quality Assurance group to try to reproduce it. Send the bug and data during reproduction of the bug to developers.
    • Developers code a fix for the bug.
    • Q/A tests/verifies that the bug fixes the problem.
    • fix goes out in the next release of the application running the terminals.
    This, and then some. You don't brush something like this under the rug just to save other people's use of the terminals. That leaves the vulnerability/problem there for someone to maliciously exploit. Better to have that reported and fixed, with an announcement disclosing the problem and that the fix is already in use, than to keep hush on it and have someone use the bug to not only effectively shut other customers out from their accounts, but compromise a bank's security.

    BL.
     
  23. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #23
    Not disputing the above, but OP can simply report it and not go out of his way to "test" the system to reproduce the problem. You've contradicted yourself in the post above, agreeing with another member that the OP is better off reporting it and not doing it again then saying the opposite in seeing nothing wrong with his reproducing the issue.
     
  24. goobot macrumors 603

    goobot

    Joined:
    Jun 26, 2009
    Location:
    long island NY
    #24
    Has anyone tried it at another type of bank other than BofA?
     
  25. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #25
    Not exactly. to put it short, the OP actually did the QA person's job, by showing and proving to the bank/managers at the bank that it is reproducible. that actually helps them instead of inhibits them. No contradiction there at all.

    Again, if the intent of the reproduction is not malicious, there is no problem in reproducing it for the managers to see.

    BL.
     

Share This Page