Last week, Apple and Google (and Visa in particular) gave us another example of how security and convenience are often at odds. And it looks like they chose for convenience.
The latest issues address only a small subset of iPhone and Android users — specifically, those using their phones to pay with public transit. If you think about how the subways work in a big city (I’ll take New York City as an example), they require extremely high speeds. Using facial recognition or entering a PIN just before paying to board the subway will slow down the journey considerably.
Instead of allowing the validation to happen sooner – say, maybe within five minutes of the transaction – or by speeding up the process to a split second, Apple, Google, and Visa appear to have chosen to skip any validation. any real meaning. (Note: I’m focusing on Visa because this vulnerability still exists. MasterCard and others have patched this vulnerability.)
Security researchers at Positive technology checked the phone and found the problem.
“The vulnerabilities allow attackers to make unlimited purchases using stolen smartphones with expedited shipping plans enabled without requiring the device to be unlocked for payment.” Positively said in a statement. “Until June 2021, purchases can be made at any PoS terminal, not just in public transport. On iPhone, you can make payments even if your phone’s battery is dead. Prior to 2019, Apple Pay and Samsung Pay did not allow payments unless the phone was unlocked with a fingerprint, facial recognition, or PIN. But today, it has become possible using public transit programs or Apple’s Express Transit mode.”
Timur Yunosov, an active researcher, said in a The risk still exists, but varies based on the combination of payment card brand (Visa, MasterCard, American Express, etc.) and device type.
“If you use your Visa card on Apple Pay, anyone can bring your phone – even if it’s not charged – to a luxury store and buy something with your phone. Before June 2021, the same could happen with the Samsung Pay/MasterCard pair,” Yunosov, who spoke last week at European Black Hat. “But at some point, they quietly fixed the problem. Google Pay has the most risk. If NFC is enabled, someone can even clone your MasterCard for a short period of time and use it later to make purchases. Even after all the changes MasterCard has made, there is still the possibility of fraud for lost mobile wallets (Apple, Samsung, Visa, MasterCard, AMEX), although it requires special equipment special features, such as a modified POS machine or direct access to the transaction flow. “
Given that this involves stolen devices, this poses a difficult IT question. For many businesses, the standard IT protocol when a device is labeled “potentially stolen” is to remotely wipe that device, theoretically eliminating any other risk. But that may not work if the phone is not connected to the Internet, is turned off or the battery is dead.
“If the phone is not charged, it can still be used for identification. So the information will not be deleted from the device. It also depends if the deletion mechanisms include deleting records from the security system (e.g. a database of devices belonging to employees), it will be safe,” Yunosov said. “Otherwise, it can put the entire system at risk. Until we see these systems deployed in large companies, it’s all speculation.”
There’s some good news – albeit temporary, in theory. Other sensitive data on the phone is not at risk. And if so, a remote wipe Candlestick solve the problem, assuming that a proper remote delete connection can be made.
But, as Yunosov pointed out, this vulnerability could get a lot worse. Apple is preparing a series of new “value-added services,” such as ways to access secure buildings. For speed and convenience, it can also use the same process in place for transit payments. That increases the universe of potential victims.
Another important issue: What if the thief actually made a fraudulent purchase using the phone? Proving that charges are fraudulent can be difficult. “It will be very difficult to prove to your issuing bank that you are not paying for these and that the phone is not unlocked with your fingerprint or PIN,” Yunosov said.
Some victims maybe good luck if there are security cameras filming the shopper or if the victim can prove they were somewhere else at the time of the theft.
It looks like Apple could take advantage of the Apple Watch here. What if your Apple Watch constantly notes its distance from your iPhone? And what if, at a predetermined distance, the watch allowed the user to turn off the phone, temporarily or permanently? It is important to give users the option to temporarily disable; That’s where the difference between a lost phone and a stolen phone is.
The watch can also tell the user exactly where the phone is – or at least where it was when it was last detected. That information will help users determine if the phone is simply misplaced or has likely been stolen.
At the very least, Apple, Google, and financial institutions need to remember that convenience doesn’t come at the expense of security. Because slowing down the subway can be inconvenient, dealing with fraud and theft is even worse.
Copyright © 2021 IDG Communications, Inc.
