Do you have an iPhone? Do you make use of the Apple Pay service? If so there is a security issue you need to be aware of. Researchers have discovered a means by which fraudulent payments can be made from a locked iPhone.
Two conditions must be true for the flaw to be exploited. The user must have a Visa card in their digital wallet and they must have express mode enabled.
Essentially the flaw amounts to digital pick-pocketing. It can be performed even if the owner of the phone has it tucked away in a bag or pocket. Even worse is the fact that there is no transaction limit.
This issue was apparently created when the company attempted to solve a separate issue. Apple users had been complaining that Apple Pay was sometimes cumbersome to use because it required the user to unlock the phone with a password, Touch ID, or Face ID.
In order to improve the overall user experience the company added an Express Mode to the service allowing transactions to be completed without the phone being unlocked.
When users enable this option in Apple Pay they get a notification that reads as follows:
“The card you select will work automatically without requiring your Touch ID or your passcode. Just hold iPhone near a supported transit reader.”
The researchers were able to emulate a ticket-barrier transaction of the kind you’d find in a mass transit station by using a Proxmark device which acted as a card reader. This device communicated with the target iPhone with an NFC chip that communicated with a payment terminal.
It’s easy enough to see how this story ends. Although not yet ubiquitous attacks like this are already being seen in the wilds and they will only increase in popularity over time.
As of now there is no fix for this issue. Visa and Apple insist that it’s a problem the other company needs to take charge of fixing. The best thing you can do to avoid the issue is to steer clear of Express Mode.
