You clearly haven’t used Tokyo train systems, the kind of which Express Transit seems to be designed to handle.
If you have 10 seconds why would you bother turning on ET?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Experts Warn of Apple Pay Express Transit Hack That Enables Large Unauthorized Visa Payments From Locked iPhones
- Thread starter MacRumors
- Start date
- Sort by reaction score
If you have 10 seconds why would you bother turning on ET?
See? This is what all these ridiculous allegations did. Make the perfectly fine system, the good one at that, worse because of FEAR.
As I said, no one would ever believe criminal gangs would put card scanners and micro cameras into cash dispensing machines in bank building walls. But they did, repeteadly, so it’s very naive to simply brush this off with a it’ll never happen to me attitude. Likewise with car thieves using scanners and stealing your nice posh car thanks to keyless entry system, or they break the small window in the front door, lean in and use the access port, which by EU law is in the same place in every car, connect the special coding machine which by EU law must be sold on the open market, and simply code your car to open and start and off they go. This is not beyond the reach of criminals these days.
The article also clearly highlights the liability lies with BOTH Apple and Visa.
And you need to sort your life out if you seriously consider 10 seconds in the name of security is a major hassle in your life, you can lift your phone, it auto unlocks, press the button for payments and select your card long before you get to the ticket barrier machine, it quite literally is no hassle at all, you are making it out to be because ‘you’ consider it inconvenient.
No, your actual credit card number is not transmitted. And through the use of cryptography and transaction identifiers, whatever transaction that occurs cannot be replayed - so if money is charged to your card it can only happen once, and not repeated later.
Also, none of your money is taken away. Money is charged against your credit card balance (if the network or the issuer doesn’t catch the fraud), but if you dispute it and it wasn’t a legitimate charge, then you won’t have to pay.
Why is it then people on here claim it doesn’t affect Android phones though? It doesn’t seem to mention it in the article so I have no idea if that’s true, but if it is then surely Apple must be involved somehow?
I think an upper limit is the most sensible solution, I mean you cannot go a pice £50 with contact less payment till next month when it raises to £100. And you can only use it so many times before you need to enter a pin with your card.
I don’t know that it’s true, first of all (and by the way, interesting that they used an android phone as part of the hack). I don’t even know if android has something that works the same way as transit pay. But given that even Visa says it’s Visa’s fault, it take a special kind of Apple-hater to blame the issue on Apple.
Criminals read bank cards and recorded your pin details with cameras as you used cash dispensing machines…
You are incorrect.
With Samsung Pay you can set up a card as a ‘transport card’ to use on TFL services. This option means you don’t even need to wake your phone or verify. Simply touch the middle section of your phone against the card reader.
This is a non-issue. The best part of credit cards is the zero liability coverage. Someone can physically steal your card and make purchases, and you would be reimbursed. It only affects Visa and it sounds like they are comfortable covering the losses, if there is any.
Interestingly the full report here http://www.bbc.co.uk/news/technology-58719891 doesn’t state Visa accept its entirely an issue with their systems, they just claim it won’t happen in the real world as it’s impractical so won’t fix it.
Just like no one would thought it practical for thief’s to install card scanners and tiny cameras into cash dispensing machines. Or car thief’s use scanners to grab your keyless key codes.
It will be rare I agree, but so we’re the previous types of theft I mentioned once.
Also of note is Samsung Pay and Master Card were found to be immune to the hack.
Visa doesn’t have to state anything. If this fraud happens, a big IF since if you read the article they’re talking about stolen iPhone, it will fall under unauthorised payment and will automatically be protected by Visa's zero liability policy.
A bunch of Little Chicken these researchers if you ask me.
And yet we still have cash machines and keyless cars, so I'm guessing the overall risk is generally deemed to be acceptable when balanced against everything else?
It's all too easy just to dismiss Visa's statement:
but surely you need to take that into account when making an informed, balanced judgement?
There's really no need for you to make this a personal attack, but my point isn't about personal convenience to me. It's about having a system where you've got two hundred people trying to get through maybe four ticket barriers before the next train comes in two minutes later and you're requiring a large percentage (50%?) of them to have to authenticate themselves on their phones. It might work for one or two people in the same way you always get those whose ticket/card doesn't work, or who wait till they get to the barrier before fumbling in their pocket for their card, but the practicalities just don't scale up to the large numbers of people using phones to pay these days.
But fundamentally, why? This isn't an iPhone/ApplePay-specific vulnerability, it applies to all contactless Visa cards and I'd guess the majority of people will still be carrying those around with them. Indeed if you did mandate unlocking iPhones to use them on mass transit, I suspect many people would just go back to using that vulnerable Visa card instead.
Sure, people can turn Express Payment off if they personally don't feel comfortable with their perception of the risk, but to suggest the function should be removed just seems to be an over-reaction that's not warranted by the risk and would have a significant detrimental effect.
I don't blame Apple but I expect them to be putting pressure on Visa to fix the issue, or implement something at their end to protect Apple customers. Apple has known about this for nearly a year and the issue is still there - this doesn't exist with Samsung Pay with a transit Visa card so it cannot be all Visa's fault.
Given that transit is for low value fares, I cannot see why the iPhone is allowing an unauthorised payment of £ 1,000 - it should have a cap around £ 15.
You are right about irony....but only if you meant to be incorrect about your entire statement 🤣
I think they would appreciate you dedicating your comment in the memory of how correct they were! 🤣
I do suspect Visa is correct and that this is hard to replicate in the real world; however, I wish Visa (and other such companies) would consider the time wasted by their customers addressing fraud. I think they usually look at their direct costs but not so much the consumers.
It can still take some time for the cardholder to check their account online, call their card issuer, wait on hold, go through and verify the last month’s transactions at times, etc… Some card issuers are better at this and allow verification online, but many still require a phone call. Then there’s the possibility the card may have to be canceled, be unavailable for a while, and have to be mailed out. This is mitigated some by virtual numbers used by the iPhone and other platforms, but some issuers still seem to want to issue a new card despite that.
It can still take some time for the cardholder to check their account online, call their card issuer, wait on hold, go through and verify the last month’s transactions at times, etc… Some card issuers are better at this and allow verification online, but many still require a phone call. Then there’s the possibility the card may have to be canceled, be unavailable for a while, and have to be mailed out. This is mitigated some by virtual numbers used by the iPhone and other platforms, but some issuers still seem to want to issue a new card despite that.
Want Visa to stop their tin-eared blathering about “theoretical but unlikely”?
Just Switch your ExpressTransit Card Setting from Visa to MasterCard, or, if allowed, to AMEX, and you’re all set.
Just Switch your ExpressTransit Card Setting from Visa to MasterCard, or, if allowed, to AMEX, and you’re all set.
Stop it with your well-reasoned post. Stat! I need something to get outraged about this morning so I can feel good for the rest of the day. And now I have to find something else.
I have express transit disabled on my Apple Pay (I guess it's off by default luckily). I have used the tap to pay on my Visa card before but, not a lot of places have the option in my experience.
Last edited:
Removing original comment - was not relevant to this comment and my snarky response would be inappropriate.
Last edited:
How can they authenticate this? Many of the transit system tap-and-go systems run over the Visa network. Others run over MasterCards network. Others act more like a POS terminal at the turnstile.. To ApplePay the transit card would look like a Visa / MasterCard / AmEx card. No different than the Visa network running both the debit card and credit card you get from your bank. One has fraud reimbursement and one does not. Be thankful, as a consumer who might someday actually get hit by this, that by reading between the lines of Visa's comment that the transit systems are run as credit cards and node debit cards for the transaction and fraud processes.
EDIT: Clarification of the first point, and adding:
For pure closed loop transit systems that require profiled accounts that do not take direct credit / debit payments at the turnstiles then I would venture that this is a non-issue regardless of the network used as there would be no ability to process a charge transaction outside of the profiled back for the purpose of the transit activity.
I haven't read all of the comments but I had a couple dollars stolen from my account through a similar hack that was charged to the NYCT I believe and I live no where near NY and haven't visited NY in many years. If I had to guess they are hiding these near vending machines that accept Apple Pay so when you buy a soda and authenticate they are also reading your card and stealing from your account.