Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Experts Warn of Apple Pay Express Transit Hack That Enables Large Unauthorized Visa Payments From Locked iPhones
- Thread starter MacRumors
- Start date
- Sort by reaction score
I think the situation is interesting, even if it is not that big of a deal. When it comes to issues like side loading apps or 3rd party app stores, Apple takes the position that customers can not or should not be trusted with managing their own risks. But Apple has taken a different approach with this new threat. They could disable the feature. They could set down rules for VISA and ban their cards until Visa complied. Instead, they push the risk management onto the user. The user can turn the feature on and off. The user can choose to use or avoid VISA. It is almost as if Apple's primary concern is whether a policy makes or loses money for Apple. (And no, I'm not suggesting this is something unique to Apple.)
It could really be anything charging you. Here's more detail on the whole thing:
https://practical_emv.gitlab.io/
In addition, let me quote something for the "Apple can do no wrong" crowd:
Source code is available via the link above, so is the preprint of the paper which will be peer reviewed and published at the 2022 IEEE Symposium on Security and Privacy. Happy hacking!
This from UnregisteredOnSecurity:
If someone has physical access to your phone, they COULD do this little hacky thing… totally COULD… something to be concerned about, yah…
BUT IF THEY HAVE PHYSICAL ACCESS TO YOUR PHONE THE JIG WAS YESTERDAY! It’s OVER and DONE by now. In other words, it’s up. They can do FAR worse than this, securily speaking, parlor trick. I very much doubt they’d even waste even a second of having physical access to your phone on this as they’re racing against the clock of you finding out your phone is missing and remote wiping it.
So, yes, this is a security issue and should be remedied. But, the thing to REALLY know is this. If someone has physical access to your phone, EVEN to use it to make a quick phone call or surf the web, EVEN if they promise to charge it while they’re using it with the battery pack they happen to have on them you’ve already dangerously lowered your security profile to where this AND far more dangerous/invasive things can be done.
If someone has physical access to your phone, they COULD do this little hacky thing… totally COULD… something to be concerned about, yah…
BUT IF THEY HAVE PHYSICAL ACCESS TO YOUR PHONE THE JIG WAS YESTERDAY! It’s OVER and DONE by now. In other words, it’s up. They can do FAR worse than this, securily speaking, parlor trick. I very much doubt they’d even waste even a second of having physical access to your phone on this as they’re racing against the clock of you finding out your phone is missing and remote wiping it.
So, yes, this is a security issue and should be remedied. But, the thing to REALLY know is this. If someone has physical access to your phone, EVEN to use it to make a quick phone call or surf the web, EVEN if they promise to charge it while they’re using it with the battery pack they happen to have on them you’ve already dangerously lowered your security profile to where this AND far more dangerous/invasive things can be done.
That’s not the point. How much disruption does it cause to flow when you’ve got 100 people unlocking their phones on the approach to busy barriers? If every single one of those people managed to successfully unlock their phones and if necessary select their payment card, all without slowing down and without any of those phones re-locking before they had chance to present it, then no problem. But how realistic is that?
It sounds like the hack convinces the Visa terminal that the phone has authorized the transaction. it doesn't matter if the phone is locked or not. This basically bypasses the authorization step in the transaction.
Yeah but this is not how this scam works they need a phone and card terminal to take cash from Apple pay there and then. They can’t use Apple Pay after the fact.
Sorry, maybe I misunderstood this but when googling I only found references to "transit cards" that could be added to Samsung/Google Pay, nothing on using a normal credit card for pin-pinless transit payments. Are you saying that Samsung Pay can also use a normal Visa card as "transit card", thus enabling these kind of "pin-less" Visa payments?
Samsung Pay does, at least with TFL: https://tfl.gov.uk/info-for/media/p...y-accepted-for-pay-as-you-go-travel-in-london
The same way Apple Pay with Visa is not affected by it as well? The article doesn't seem to mention Samsung with Transit function.
Jesus 🙄
This is why today we can't have nice things. The fear mongering.
I'm so ecstatic when Apple announce this feature. It's a God-gift for those living with crowd transit system but now Apple should get rid of it because some hack that the researchers don't tell the whole story (and not sure how to implement in real life so they have to give an example of "stolen iPhone"). Oh, the fear mongering..
AirTag now has like 50% of its potential benefit because people just cry "Stalking". Funnily no one cried about it when Tile launched theirs a few years prior.
What do you mean by “the same way”? Apples transit technology is unique to Apple, there is no identical implementation for Samsung Pay, they have their own implementation, which is not affected. I’m going to quote again, from the researchers:
And further from the pre-print of the actual research paper:
I hope this answers the question. Samsung’s transit functionality is called “Transport Card” and while having a different implementation, offers the same functionality as Express Transit.
Here’s a direct quote of a part of the conclusion from the paper:
Much more details are described in the paper.
Yeah that's like one side of story, from researchers. We know another story from Apple and VISA, that it's not a big deal. Will trillion dollars Corporation take a risk and try to cover something? Maybe. Or it's simply that this hack is just not impractical? Otherwise why even the researches themselves have to talk about "stolen iPhone" on a "transit" topic?
Maybe it's because Apple Transit mode works almost globally unlike Samsung?
Last edited:
10 seconds or less is fast enough to still be express, especially when you can unlock your phone as you approach the gate.
In some place 10 seconds is quite plenty. In some place, like Ikebukoro at rush hours, you almost have to run through the check point.
Thanks, yes that seems to work almost similar from a user perspective although it is technically different than Apple Pay with Express Checkout.
Samsung Pay uses a bespoke integration with TFL and other public transport operators whereas Apple supports 'standard' Mastercard/Visa pin-less payments for express checkout. Samsung Pay does not suffer from the "Express Chackout" Visa vulnerability as TFL handles the payment directly, using whatever Samsung Pay 'transit' card to identify the TFL account.
Sorry, this is science, dealing with facts. There are no sides. This seems to be a very difficult thing to grasp for those who never worked in science and presented their work to other research groups around the world. Also, this work is usually peer reviewed by other scientists who are experts in their field. There are no sides. I've already linked to the researchers site, which not only contains the pre print of the paper which describes everything in detail, it also contains the source code and therefore all the necessary tools so anyone at home can reproduce this work.
There are issues for the implementation with both parties, Apple and Visa (now we have two sides). Fixing these issues on one side is good enough to fix the whole issue, so it could be done by Visa alone or Apple alone or even better both. In the case of Samsung Pay, Samsung stepped up and fixed the issue. Apple and Visa are playing the blame game, which is quite common for international companies that size (I've seen plenty of this in my industry days before joining a university again for research and teaching).
Has nothing to do with how it's used. I'd also argue that Apple Transit is used globally, again, check the sources of the original paper to get all the info on it. The issue here are problems in both implementations Apple and Visa that allows for this to happen and it could be fixed by fixing the problems on either side, it does not necessarily require a fix on both sides. These are hard facts, if you don't believe it, reproduce the experiments on your own, introduce another man in the middle attack to fix the protocol and see how it magically isn't an issue anymore.
Oooh.. scientist.. experts.. oooh... big words...
Where is this "peer reviewed"? Seems to me these "scientists" presented some hack that Apple and Visa say.. Meh.. and they couldn't accept it so they have to scare people to get attentions from Apple. They can't even say what the use case of their "hack". Instead of showing people getting money stolen when in transit they just imagine a scenario where people iPhone is stolen to be tapped with this "hack".
Yeah, that's convincing.
You seem to drool at the words "researchers". Good luck with that. These aren't the first group of "researchers" who cry wolf and won't be the last.
I prefer to read and understand the issue at hand.
Last edited:
Then read and understand the issue, which you're clearly not capable of. I've already linked to the source code, now disprove what's written in the paper. So what exactly is wrong in the work presented? Did they make a mistake, in the protocols, the approach, the results? Correct them if they are wrong (hint, they are not).
You apparently don't understand how research works. The paper is accepted for the "2022 IEEE Symposium on Security and Privacy", which means it has been peer reviewed for acceptance, otherwise it would not have been accepted. This happens in conference systems such as easy chair. Once that is done, the authors can make final changes to submit the paper. These are usually typos, minor changes to grammar, updated figures, etc. Then later on in the process the conference is held and after that, the prints come out as conference proceedings, a book, journal, etc.
Showing a use case is not their job, this isn't a developed product, it's a technical paper. It is the job of the reader to understand the presented work and then apply it to your use case.
Being a butt hurt Apple fanboy doesn't matter, how a hack can be applied doesn't matter, the only fact that it's there matters. These type of security issues are shown all the time, it just happens that you and others are not aware of these papers and conferences. Why don't you have a look at several conference programs? The researchers couldn't care less about Apple or Samsung fanboys. That's not their job. Their job is to find and understand these vulnerabilities and present their work to others.
A security research group down the hall from my own research group is doing research on post quantum cryptography and also present their work, as are many other research groups around the world. Of course this only becomes an issue when attacks are made with quantum computers. Doesn't change the significance of the work.
So again, do your own work, show where they are wrong. If you don't keep crying. Anyone interested in this stuff can read the actual paper and understand what's happening with the attack.
How is it different? The link I posted says it uses Visa and Mastercard, debit and credit. Does not sound like there’s anything bespoke about it.
I take it that there is no "peer reviewed" then? 🤣
You seem to know quite a few big words, may I present another one?
"Proof of concept".
It's something "researchers" do, and many are hardly practical in real life but I know you don't have capacity to grasp that because everything "researchers" present, for you it's like God himself speak 🤣
For you it all boils down to one thing, and one thing only: "researchers" speak! How can they be wrong? Yeah, that's very convincing argument.
LEARNS about human more..
No. The only fact here is that you "think" it matters. Apple doesn't. Visa, who have to pay for fraud, doesn't. It's only you, the internet keyboard warrior, who thinks it does.
Last edited:
I see a lot of people just flying off of handles left and right on this topic! Some of you need to just calm down and re-read the article. And THEN go read up and understand how credit cards work.
And THEN, if you're sensible, you'll stop using your credit cards. Not because of Apple or ET or whatever, but because credit cards and credit card interest payments will keep you from being wealthy. But that's a whole 'nother topic for a different day.
After that, it's FREE to the consumer UNTIL your closing day comes and goes with a balance on the card. THEN the finance charges begin. And these are what I referred to at the top of my post. Finance charges are usually quite high, and as I said above, it is these charges that will prevent you from achieving true financial success.
And THEN, if you're sensible, you'll stop using your credit cards. Not because of Apple or ET or whatever, but because credit cards and credit card interest payments will keep you from being wealthy. But that's a whole 'nother topic for a different day.
Right! Pay the frick attention and you'll have far fewer problems.
Here in the US, it's a 3% charge, typically to the retailer to use a credit card. Some retailers will add a surcharge to the bill so that the customer will pay directly for the CC transaction, but most retailers here in the US just pay that and build it into their pricing structure.
After that, it's FREE to the consumer UNTIL your closing day comes and goes with a balance on the card. THEN the finance charges begin. And these are what I referred to at the top of my post. Finance charges are usually quite high, and as I said above, it is these charges that will prevent you from achieving true financial success.
Thank you...
...for being...
...one of the lone voices of reason...
...this time.
Sad you still don't understand. The paper has been peer reviewed by the conference chair. Why don't you get in touch with the authors and/or the conference chair? I guess they will happily confirm this for you.
You misunderstand my post.
I didn't call for Apple to disable any features. I said it was unusual for Apple to let customers manage their own risk. I said that Apple could prevent customers from managing their own risk in this case in various ways. I did not advocate they do so.
I personally prefer to manage my own risk. In this case, I want to know what the treat is and decide myself it is worth avoiding. I'd like side-loading and 3rd party stores. I prefer having the to make my own decisions when it comes to this sort of thing.
If it helps, here is my original post in bullet points:
* This is not a big issue.
* Apple is letting people manage their own risks.
* That is unusual for Apple, which often cites "security" as an explanation for restricted options.
* It is as if corporate principles are guided more my money than principles.