Spot on. Either Apple or Visa could fix this on their own. Neither is doing anything. I'd expect nothing else from Visa. I'd personally (but that is only my opinion) expect Apple stepping up to proving the paying experience with Apple Pay which is not only comfortable, but also secure when it comes to known attacks.... <crickets chirping> in Cupertino.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Experts Warn of Apple Pay Express Transit Hack That Enables Large Unauthorized Visa Payments From Locked iPhones
- Thread starter MacRumors
- Start date
- Sort by reaction score
Tap to Pay and Express Transit are not the same thing. Also, as MANY others have stated, this is "researchers" in a lab looking at the 0.001% chance of something happening and saying its a "problem"
From my experience in FinTech it would be because of the way that Samsung and VISA implemented their communication and data exchange process. When you get to the level these companies are at, there are not "out-of-the-box" systems or any sort of public API or anything. These are customized solutions built with coordinating in-house teams. Likely the very nature of how these two teams worked together, didn't allow this exploit to occur. However, just because it does impact Apple Pay does not mean Apple has any control over it. Typically while the two teams will work together, it is not a two way street. VISA's team will get some initial specs of what X company wants to accomplish, let's say Apple in this case. They will then tell Apple how they have to do things in order to interface with VISA's system. VISA then builds the back end and Apple builds the front end. Apple doesn't get much say in this other than the initial ask to support whatever process they proposed. My experience is this specifically with a branch of JP Morgan/Chase and VISA. So while you could look at it and say it is an "Apple Pay" issue and it might have some truth to it, in terms of who can address the problem, it is VISA who owns that part of it. Apple could of course petition VISA to make the change so Apple could adjust their code. Maybe the have, maybe they haven't. Chances are since this seems to be a "lab" hack and not a practical real world hack, neither side is going to give it much effort.
The transactions that take place via Tap to Pay or any other use like this are one time transactions. The card number used at the vending machine is not able to be used a second time. So the only way someone could have been hiding near the vending machine and stolen your card that way was if you went to make a purchase at the vending machine, it went through on your phone, and then you did not receive an item. If you received an item, then you did not get anything stolen from you during that interaction as the card can't be used to give you an item and then charged again for some other purpose.
I don't really think it is unusual. Apple (and most other companies) sees to focus on the lowest hanging fruit and then work up the tree from there. Apple was already focusing on privacy well before they took it to the next level with TouchID in 2013. They also were already focusing on privacy well before they took it to the next level with app transparency and app tracking in 2020. It will be a continual process. The fact that Apple hasn't gone after EVERYTHING is just pragmatic and especially in this case where it appears to be something that is non pervasive and not a practical scam.
Are you trying to argue that the feature is not needed? If so, why was it developed? Why is it adopted and being used? If it isn't then there is no security concern. If it is, then it must be useful.
I don't know if you have lived in a large city where mass transit is the primary way people get around the city. If you have then I find it hard to believe you can't understand why unlocking your phone is an issue for people. Will it be a problem for everyone? No! But just like some people are much better drivers on the highway than others, so are commuters on a mass transit system. It is also possible that you just need to consider that while YOU might not have a problem in being prepared with your phone unlocked, other people are not you and might have this issue. And when you have large amounts of people being funneled through a small area, during rush hours, it is very hurried and frantic. Sometimes its just as simple as you just have too much stuff in your hands. If you haven't lived in that type of city and commuter system, then maybe you just don't have this particular life experience and maybe trust others who do that it is actually a pretty big deal.
While I can understand your point, it is not balanced. It is true that for SOME people, credit cards can be a bad thing. It is not a blanket statement that applies to everyone, which is how you stated it. The "issues" you raised are able to be mitigated and then you can leverage the benefits without needing to have fear from some perceived problem that you are able to avoid.
I am not saying it is a bad feature. The point is that if you want to enable this feature associate a non-Visa card if you are concerned about the risk. I would personally not enable the feature. I prefer tp positively approve all purchases, but I can see the utility in this feature for others.
I have lived in areas with mass transit being a primary method of getting around. Some people do take longer than others. I would venture that anyone coming to the gate with lots of things in their hands will have problems and the extra time to unlock in these cases would also be an issue for having to pull out their wallet or phone.
This can be a very seamless process that takes no time at all:
- Pull your phone out of your pocket, double-clicking the sleep button as you do
- Glance at your phone
- Tap.
Agreed that it CAN be a very seamless process. I won't belabor the point, but obviously it CAN also be a very not seamless process. My point about having your hands full was literally me two days ago. Lots of shopping bags carried in both hands and actually arms as well. When I got up from the train, I had my my phone in my hand and loaded my arms with bags. I reach the scanner. The idea of having to do the steps you listed, with bags, in line, is just a lot more work and time. In my case I simply tap the phone (which I can't even see over my bags) on the scanner and walk through the stall. No delay, just done.
I agree that it is simple to avoid this unlikely security issue by either not using the express transit settings or by using a Mastercard. In my case since my Apple Credit Card is set to be my express transit card, I am all set in any regard.
But seeing that there are 30+ of documented exploits of the VISA system (that I am aware of in my short project working in FinTech for Chase), I won't worry about this one either because it is not practical outside of a lab environment. And since I balance my accounts, if I were to find a rogue transaction, VISA would simply void the charge.
Granted. it is more work. You can do the steps well in advance and rest your finger on the screen to keep it awake then tap at the gate. Not doing it at all is better, but It does not have to be an onerous task either.
Agree this is really not worth arguing. ExpressTransit is a positive feature. If there are concerns with using a Visa, either use a different car or elect to deal with the extra couple of steps.
I think the point here is that VISA, being the company that actually has to deal with these transactions, have looked over their millions and millions of daily transactions, are aware of the patterns for this exploit and has determined that IF it were to happen, it would not be to an unmanageable extent. Given what’s required for this particular exploit, they’re likely dealing with actual real situations in the world (not just in a lab) that amount to many orders of magnitude larger than the worst that this situation could ever cause.
Security Researchers HAVE to make things sound scary so that you’ll read their articles and view their videos. Ad revenue is a POWERFUL drug.
BUT, in today’s complex systems, where any individual member of the system could be exposed to several critical exploits, many companies have a “no-trust” configuration. Even if a member of the system is exploited, it’s not automatically trusted into the next part of the system. This means that safeguards in OTHER areas of the system can effectively obviate any individual member’s exploit. Security Researchers, of course, know this, and know those other safeguards are in place. But, again, they’re looking at the dollars those ad views will drive and, hey, what’s a few million folks becoming irrationally fearful as long as those researchers can keep the level of living they’re accustomed to?
Interesting post. I guess we'll see if this ever makes an impact in the wild.I think the point here is that VISA, being the company that actually has to deal with these transactions, have looked over their millions and millions of daily transactions, are aware of the patterns for this exploit and has determined that IF it were to happen, it would not be to an unmanageable extent. Given what’s required for this particular exploit, they’re likely dealing with actual real situations in the world (not just in a lab) that amount to many orders of magnitude larger than the worst that this situation could ever cause.
Security Researchers HAVE to make things sound scary so that you’ll read their articles and view their videos. Ad revenue is a POWERFUL drug.
I believe this is happening to me right now. I've been through 6 Visa debit cards at one bank, and 1 at another bank. I have the Bay Area transit card installed, Clipper Card, and its app. Its app stores my payment method. The Clipper Card and the Visa debit card are (well, were) both in my Apple Wallet. I suspect that the Clipper Card transit app has accessed my debit card fraudulently. Then the hackers are receiving automatic Visa debit updates through this site:https://developer.visa.com/use-cases/identify-merchants-receiving-automatic-card-updates My new debit cards are being hacked before I receive them.
Based on the information you provided, I’d say it’s unlikely THIS hack is your problem (as it works on cards in your possession, not prior to obtaining them) but there are likely a number of VISA exploits in the world that contacting VISA might help to resolve.
