Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Experts Warn of Apple Pay Express Transit Hack That Enables Large Unauthorized Visa Payments From Locked iPhones
- Thread starter MacRumors
- Start date
- Sort by reaction score
This is an issue with Visa, not Apple Pay.
I would never enable Express Transit on any of my credit cards on Apple Pay. Even before i read this article.
So in your opinion security holes in bank payment systems shouldn't be fixed then.. and just who do you think eventually ends up paying for those payouts for the security breaches?
I don't know, perhaps enable the requirement for your phone to be unlocked to use it, just like any other payment you make?
What are people smoking? Even if Visa "cover" the losses, there is a cost that will be incurred. There's no free lunch people. Visa will try to recoup the losses from higher interest rates and other fees. In the end, everybody loose, just because two snobbish giants think they are invulnerable.
Get a grip Apple. Is this your attitude towards security now?
And people want them to be the moral police.
Get a grip Apple. Is this your attitude towards security now?
And people want them to be the moral police.
I mean, Mastercard supposedly doesn't have this problem, so in theory it can be fixed on the Visa side. Whether it's worthwhile for the parties involved, on the other hand...
It’s probably the safest in terms of consumer protection. Get hacked? No problem. It’s not your money to begin with and the credit card company will sort it out, not you.
Risk management is not for the faint of heart. Sometimes risks are taken when you really don’t want to but you have to because the alternative is much worse.
I think Visa is at fault 80% for lack of security (Mastercard isn’t prone to this attack) and Apple is 20% for allowing unauthenticated express transit payments.
Apple ought to restrict unauthenticated payments to transit passes only. The risk of misuse is far lower because the card can only be used at one place.
It isn’t.
You are entitled to be uncomfortable, but this really has nothing to do with the security of Apple Pay.
Maybe read again?
Express Transit is disabled by default.
If you decide to enable it, it will ask you which card you want associate with it.
Just choose a card that is not Visa if you are worried.
Apple could reduce the risk here by allowing users to set a daily maximum for express transit transactions. For example, in London you'd be hard pressed to spend over £10 in a day. If, for some reason, you needed to, you could always do a normal Apple Pay transaction instead.
No. This issue is specific to Express Transit using Visa cards, apparently. According to the researchers, it does not affect Mastercards nor does it affect Visa cards on Android Pay/Samsung Pay.
Apple can do no wrong. They are perfect, they are the best. Any issue in any product is not an issue, not a bug, not a fault. You're using it wrong! They are the saviors! All hail Tim Cook! All hail Apple!
According to the researchers, both Apple and Visa are partially to blame, but cannot agree on who should implement the fix. The issue does not affect Visa cards on Android Pay, which has a similar feature to Express Transit.
As I said, a balance has to be struck between convenience and risk. It’s even better when the risk is covered by the card network. But somehow it’s presented like a fundamental flaw in Apple Pay 🤷🏻♂️.
ApplePay is sooooo secure compared to the rest, wasn’t that always the excuse against third-party payment methods in here?! 🤣
Umm, it was a light-hearted joke. Do I have to label everything with a smiley face for you?
Of course they want to blame Apple. How else would they be heard if "Apple" name not included? How can they create a "sensation" if they said Visa is only one to be blame? It has to be Apple somehow.
Of course it can be fixed, it's a system made by humans after all. Weather or not they deem it worth there while to is the question indeed.
Personally I think any hole with security when it comes to money should be locked down. Even if it simply means making people unlock there devices.
Wonder what the legal implications are of this? If someone gets hacked by this method and Apple and Visa knew about it for a long time and took no action, they wouldn't be able to win.
I mean no one would have ever have dreamed of criminal gangs putting card scanners and micro cameras into cash dispensers...
Last edited:
You’re right friend, they do!
But they’d just as well pass on the cost of any prevention system. So if this is cheaper for them it’s better
That's because Android Pay/Samung Pay do not seem to support "Express Transit" using a credit card. This feature requires a 'secure terminal' what Apple apparently provides. Problem with Visa seems to be that *any* secure terminal can be bypassed via this man-in-the-middle attack as there is a flaw in the visa protocol.
This publication describes it in full detail https://emvrace.github.io
The real scam here is that the British "researchers" just demonstrated that this Visa flaw can also be demonstrated with an iPhone and a 'virtual' Visa card stored in Apple Pay. They basically stole the research of the Swiss team!
Last edited:
There’s absolutely no way it would be viable to use as a mass transit payment system in a busy city like London or New York if you had to unlock your phone.