According to an English researcher, there is an obvious vulnerability that can be used to steal money from a locked iPhone if a Visa card is set up with Apple Pay Express Transit. A comment from Sophos.
In IT, comfort and security are often similar in their relationship to one another as freedom and security. One is only at the expense of the other. A current example is the Apple Pay “Express Transit” functionality: small amounts can be paid easily, despite the blocking code. However, according to the latest reports, this can be fatally exploited. Paul Ducklin, a security expert, explains the problem.
English researcher finds iPhone vulnerability
An as-yet-unpublished paper by researchers in the UK hit the headlines in late September for its dramatic claims about Apple Pay, stating that when a Visa card is set up with Apple Pay Express Transit, an obvious vulnerability allows money to be stolen from a locked iPhone is.
Never heard of Express Transit? It's one of those clever ideas that sacrifices cybersecurity for convenience. In simple terms, this feature allows some types of touch-to-pay transactions to be performed even when the phone is locked - provided Express Transit is enabled.
Apple Pay payment principle: Pay without further approval
With Express Transit, Apple Pay and the iPhone work a bit like a regular credit card that doesn't need to be unlocked with a PIN code for low-value transactions. In most European countries this limit is between 25 and 50 euros.
Paying via Express Transit on your smartphone is just as easy. If a transaction is requested, a simple click on the locked smartphone is enough and the money is with the recipient. This one last click can easily happen unintentionally if the user quickly “clicks away” something because he is currently interested in something else or if this one click is triggered unnoticed by a stranger, for example in a cafe or in the crowded train station. In contrast to the credit card, which is usually kept in your wallet and only taken out when the payment is actually due at the terminal, the mobile phone is much more often and visibly present, for example on a table.
Payment defies PIN code, fingerprint or face recognition
So that the smartphone cannot be misused, we usually lock it with a pin code or an alternative authentication mechanism such as fingerprint or face recognition. Unfortunately, however, users keep unlocking phone functions on the lock screen and thus reduce the security that the lock screen is primarily supposed to offer - regardless of whether it is about notifications and personal messages being displayed while the phone is locked, or to use the Apple Pay Express Transit function.
The researchers behind the yet to be published work now claim that they were able to trick iPhones into fraudulent payments under carefully prepared circumstances. They set up their own payment terminal, disguising it as the public transport company that was part of the express transit payment system.
Researchers probably debited up to 1.000 euros!
Apparently they only succeeded in stealing with Visa card accounts (presumably other payment providers were stricter in deciding whether payment terminal X really belonged to company Y), and even worse: the payments were not limited by the usual limit of around 50 euros. The researchers claim that by using a fraudulent payment terminal, they were able to make transactions of up to over 1.000 euros.
Apple Pay Express Transit: what to do?
Despite these dramatic results, iPhone owners do not need to panic, but the report is an occasion to look again at the use of their own smartphone. Users should generally rethink the exceptions they allow on the locked cell phone. Is it really a burden to have to enter the lock code for every action? If you answered yes, you have to live with the risks. For anyone else who feels more secure with an unlocking process, here are a few more tips:
- Abandonment of Express Transit and all other functions that are active on the lock screen. These options inevitably sacrifice security for convenience.
- Express transit in conjunction with a Visa card should be avoided for the time being. To be fair to Visa, we assume that with enough effort, similar workarounds could be found for other payment providers. If you are really concerned and cannot live without Express Transit, a prepaid debit card with a moderate balance should be set up. At least then, theft is only possible for the credit and not for the credit line of a credit card.
- Never leave the phone unattended and only take it out when it is in use. Otherwise, hold it in your hand or have it in your pocket.
- You should use the best possible lock code and the shortest period of time for the automatic lock. A locked phone is a minor inconvenience but a major hurdle for scammers, even the tech-savvy. An unlocked phone, on the other hand, is an open target for everyone, including simple casual criminals.
- Check bank and payment card statements regularly. If you use Express Transit for regular and predictable payments, for example on public transport, abnormal bookings are easy to spot.
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.