Security Experts Warn of Apple Pay Express Transit Hack That Enables Large Unauthorized Visa Payments From Locked iPhones

[Reason077]

There’s absolutely no way it would be viable to use as a mass transit payment system in a busy city like London or New York if you had to unlock your phone.

It's viable. I did it for years before Express Transit came out. It's certainly somewhat less convenient, but as long as you remembered to "pre-authenticate" Apple Pay before you got to the ticket gates you could get through without any delays.

Before Face ID existed it was worse, because authenticating with your thumb was slow and error-prone especially in the winter (gloves etc).

 

[Freeangel1]

WOW! waiting for the iPhone unlock your car to get hacked too and STOLEN CAR CITY!! GONE IN 60 SECONDS!

 

[Pezimak]

There’s absolutely no way it would be viable to use as a mass transit payment system in a busy city like London or New York if you had to unlock your phone.

Why? Is the 10 seconds or less it takes to unlock your phone and select the card to use THAT much of a hassle in your life? You'd rather run the risk of all your money being stolen instead. I think it's perfectly viable and many will just rather have security over a few seconds of convenience.

 

[AGSP]

So Apple have reached that point (like Microsoft, IBM etc....) where they have lost their way and probably don't give a stuff beyond shipments, revenue and huge profits. So SJ wanted to make our lives better and the iPhone etc...did for a bit. Now it has an OS that is so overly complicated and unnecessarily difficult to navigate, you wonder if it adds anything useful to your life?
I am an Apple user, but the iGadgets are much less productive (unless revenue driven is your thing). This years iGadget does pretty much the same as last years and by my wife's 6+. They are pink and purple fashion driven fads.
Oneplus now makes very, very good phones. Much better than an iPhone, with great cameras and some at less than half the price. However, you have to deal with Android and endless check boxes you need to uncheck before you sell your life to Google.
Apple pull your socks up, go back to basics, and stop being to smug (or cavalier) about security. If is possible to hack it (however unlikely) somebody will just because they can.

 

[danpass]

I confirmed now that ET is off on my phone.

Why would someone turn on such a thing?

.

 

[NightFox]

It's viable. I did it for years before Express Transit came out. It's certainly somewhat less convenient, but as long as you remembered to "pre-authenticate" Apple Pay before you got to the ticket gates you could get through without any delays.

Before Face ID existed it was worse, because authenticating with your thumb was slow and error-prone especially in the winter (gloves etc).

That's fine when using Apple Pay for transit was niche, but the problem is phone is now one of the most common payment means (I don't have data, but casual observation on the London Underground shows this). When you're trying to process people through barriers at the rate of one every 2.5 seconds, relying on people to pre-authenticate (and not getting locked again before they reach the barrier) is just going to add to delays. I've not tried it, but I'd also suspect that using FaceID when being bustled along by a couple of hundred people is going to yield a high failure rate. potentially causing congestion itself as people try to slow down or stand still to use it.

 

[Reason077]

I confirmed now that ET is off on my phone.

Why would someone turn on such a thing?

Because it saves a ton of time not having to unlock and authenticate on your phone every. single. time. you go through a ticket gate. This can be twice or even three times per journey, multiple times per day, for those who use London Underground or other mass transit systems regularly. Bear in mind that stations can get very busy and any delay at the ticket gates will cause people behind you to get rather annoyed!

 

[grjj]

So Apple have reached that point (like Microsoft, IBM etc....) where they have lost their way and probably don't give a stuff beyond shipments, revenue and huge profits. So SJ wanted to make our lives better and the iPhone etc...did for a bit. Now it has an OS that is so overly complicated and unnecessarily difficult to navigate, you wonder if it adds anything useful to your life?
I am an Apple user, but the iGadgets are much less productive (unless revenue driven is your thing). This years iGadget does pretty much the same as last years and by my wife's 6+. They are pink and purple fashion driven fads.
Oneplus now makes very, very good phones. Much better than an iPhone, with great cameras and some at less than half the price. However, you have to deal with Android and endless check boxes you need to uncheck before you sell your life to Google.
Apple pull your socks up, go back to basics, and stop being to smug (or cavalier) about security. If is possible to hack it (however unlikely) somebody will just because they can.

You should probably go back and actually read the article, not just the click-bait headlines.

In case you don't have that sort of time, here's the cliff notes:
Express payments are off by default
This issue only affects Visa, not MasterCard or American Express (hint, it's not iPhone's issue)
Apple can't fix Visa's systems for them. It's like asking Apple to patch Microsoft Word to fix an issue.
It's only a proof of concept in a lab
Visa has said they don't see this being an actual problem in the real world

 

[NightFox]

I confirmed now that ET is off on my phone.

Why would someone turn on such a thing?

.

Odd question - surely it's self explanatory? Speed, convenience, practicality...

Of course if you don't use busy mass transit systems then maybe it doesn't serve a purpose (again, clue's in the name), but millions do.

 

[Apple_Robert]

It looks like Apple’s and Visa’s answer got lost in transit.

 

[I7guy]

WOW! waiting for the iPhone unlock your car to get hacked too and STOLEN CAR CITY!! GONE IN 60 SECONDS!

It’s a car problem, not an apple problem. There are devices that can read your key fob. Don’t blame every hypothetical eventuality on apple.

 

[antiprotest]

I hope Apple will eventually start working on the things that they are weakest at -- privacy and security -- rather than actively adding feature that are hostile to these things.

 

[RedGT]

Apple could reduce the risk here by allowing users to set a daily maximum for express transit transactions. For example, in London you'd be hard pressed to spend over £10 in a day. If, for some reason, you needed to, you could always do a normal Apple Pay transaction instead.

There’s already a payment cap anyway in London. I think it’s set to around the £11 mark on oyster travel….so surely this could be incorporated into the software/hardware in some way to stop you getting rinsed by criminals.

 

[NightFox]

Why? Is the 10 seconds or less it takes to unlock your phone and select the card to use THAT much of a hassle in your life? You'd rather run the risk of all your money being stolen instead. I think it's perfectly viable and many will just rather have security over a few seconds of convenience.

How much of a risk do you think that is - bearing in mind risk is also based on likelihood, not just impact?

(a) Despite all the scaremongering associated with contactless payment as a whole, nearly 15 years on none of the predicted 'risks' have become a significant issue
(b) The hack highlighted here has been demonstrated in a lab, it hasn't been seen in the real world. That's a massive step
(c) The liability lies with Visa, I'm happy with that and unconcerned by unsubstantiated "yeah but what if's"
(d) Visa seem happy to accept the financial risk, I'm guessing they've done their homework
(e) Try taking that 10 seconds whilst leaving a busy Tube/subway station at rush hour. Multiply that disruption by the amount of other people who'd be doing the same

 

[H3LL5P4WN]

See, android is evil and should be destroyed.

 

[RetiredTaxman]

I appreciate Visa defending here claiming it's not possible to do outside a lab and Apple seemingly just passing the blame and responsibility onto Visa, but organised gangs will find a way regardless if the exploit exists, bedsides I find it incredibly stupid to allow your phone to be used for payments of anything WITHOUT unlocking it in anyway.
I suggest they forget the convenience and activate some security. People will just have to unlock there phones, better safe then sorry as they say.

A big thing is being made of this by one of our more right wing papers without emphasising that you first have to turn on the facility and have to have access to rail travel which sets perhaps the greatest risk in the London area.
Despite living in one of the cradles of the railways there are in fact few railway stations in our region.

 

[mikethemartian]

Credit card itself is a risky payment method… a tap on the card can take away your money… or even just copy your number and enter somewhere online. A balance has to be struck between convenience and risk. If you eliminate all risk, there is no convenience left. Apple Pay is already a very good middle ground.

Credit cards are low risk already as long as the cardholder monitors their account and reports fraudulent charges to the bank in a timely manner.

 

[Max Webb]

I appreciate Visa defending here claiming it's not possible to do outside a lab and Apple seemingly just passing the blame and responsibility onto Visa, but organised gangs will find a way regardless if the exploit exists, bedsides I find it incredibly stupid to allow your phone to be used for payments of anything WITHOUT unlocking it in anyway.
I suggest they forget the convenience and activate some security. People will just have to unlock there phones, better safe then sorry as they say.

Well the setting is turned off so the majority of people won’t be impacted and from working in the card industry I can see visa's point, it would take some level of sophistication and with all the security at places where you will use this, it’s pretty much useless. Plus the scammers would need a legitimate card reader very hard to process payments with a hacked card reader also as there is a whole world behind them. Payment doesn't just go from card holders bank to card readers bank.

 

[cmaier]

I appreciate Visa defending here claiming it's not possible to do outside a lab and Apple seemingly just passing the blame and responsibility onto Visa, but organised gangs will find a way regardless if the exploit exists, bedsides I find it incredibly stupid to allow your phone to be used for payments of anything WITHOUT unlocking it in anyway.
I suggest they forget the convenience and activate some security. People will just have to unlock there phones, better safe then sorry as they say.

It’s not so much apple “passing the blame.” The blame really is with the visa network - there isn’t anything apple can do about and still allow transit pay with visa - the issue is with their protocol. The only solution apple could implement is disabling that feature so you’d have to unlock the device to pay for transit with visa.

 

[VulchR]

Credit cards are low risk already as long as the cardholder monitors their account and reports fraudulent charges to the bank in a timely manner.

I think you'll find every credit card transaction is evaluated by a machine learning algorithm that flags suspect transactions. But yes, always worth looking at transaction history just to be sure.

In any case I wish Apple would devote more effort into security and privacy.

EDIT: I have decided to turn off this feature. Moreover I do not recall ever actively setting it in the first place.

 

[VulchR]

It’s not so much apple “passing the blame.” The blame really is with the visa network - there isn’t anything apple can do about and still allow transit pay with visa - the issue is with their protocol. The only solution apple could implement is disabling that feature so you’d have to unlock the device to pay for transit with visa.

Couldn't they bring up an alert on the lock screen the requires user input to confirm? Perhaps not a full unlock, but pressing a button. Also, why not specify an upper limit on the money spent per day this way to limit losses? VISA will cover fraudulent charges, but fraud does come back to consumers in terms of higher fees and interest rates.

 

[cmaier]

Couldn't they bring up an alert on the lock screen the requires user input to confirm? Perhaps not a full unlock, but pressing a button. Also, why not specify an upper limit on the money spent per day this way to limit losses? VISA will cover fraudulent charges, but fraud does come back to consumers in terms of higher fees and interest rates.

Pressing a button would defeat the purpose. An unlock (with faceid or touch id) is easier than that. As for an upper limit, I suppose they could, but I’m not sure their agreement with the payment networks allows them to do that. In any event, they already have a much less kludgey solution than either of those - you can turn off transit pay (or just use a mastercard, like Apple Card, for transit pay).

 

[rpmurray]

Yeah they never pass these losses on to other customers.

True. This is the reason that interest rates on credit card transactions are so low.

 

[jimbobb24]

"The researchers told the BBC they first approached Apple and Visa with their concerns almost a year ago, but despite "useful" conversations, the problem has not yet been fixed."

Rough week for Apple ?

Not if you read the whole article. Visa says it’s not worth fixing the whole system for this rare possibility. Everything is a trade off and there are always costs. Only Visa knows if the trade offs are worth it…and they don’t think it is. No one has more information than they do.

 

[matrix07]

So Apple have reached that point (like Microsoft, IBM etc....) where they have lost their way and probably don't give a stuff beyond shipments, revenue and huge profits. So SJ wanted to make our lives better and the iPhone etc...did for a bit. Now it has an OS that is so overly complicated and unnecessarily difficult to navigate, you wonder if it adds anything useful to your life?
I am an Apple user, but the iGadgets are much less productive (unless revenue driven is your thing). This years iGadget does pretty much the same as last years and by my wife's 6+. They are pink and purple fashion driven fads.
Oneplus now makes very, very good phones. Much better than an iPhone, with great cameras and some at less than half the price. However, you have to deal with Android and endless check boxes you need to uncheck before you sell your life to Google.
Apple pull your socks up, go back to basics, and stop being to smug (or cavalier) about security. If is possible to hack it (however unlikely) somebody will just because they can.

Perhaps use the time you’ve wasted writhing this BS to READ the article instead?