back to article Wallet-snatch hack: ApplePay 'vulnerable to attack', claim researchers

Security researchers say they have come up with two separate "attacks" against ApplePay, highlighting what they claim are weaknesses in the mobile payment method. One of the attacks developed by the white hats, and presented at Black Hat USA yesterday, requires a jailbroken device to work, but the other assault does not. In …

  1. Anonymous Coward
    Anonymous Coward

    Requires jailbroken device, 95+% of users then not affected

    The fact this requires a jailbroken device means that the majority of people will be unaffected. Even the 2nd method seems like it would be a low hit on devices.

    I used to jailbreak years a go but find no real reason to do so now and I cant be bothered as it breaks so many apps e.g banking apps dont work as detect device is jailbroken.

    Curious as to why people jailbreak now and for what apps/functionality?

    1. Thomas Wolf

      Re: Requires jailbroken device, 95+% of users then not affected

      The author claims 20% of people jailbreak their phones. I don't believe that number at all - even your 5% sounds high. 95% of people who own iPhones wouldn't even know how to jailbreak an iPhone - even if they cared to. Those that do jailbreak are a subset of the other 5% - in my opinion :-)

      1. DougS Silver badge

        Re: Requires jailbroken device, 95+% of users then not affected

        I know exactly zero people who have jailbroken their iPhone, and have never once thought "I wish I could do X, but I'd have to jailbreak my iPhone to do it".

        I'll bet the true number is a fraction of 1%, and I don't think we should even bother worrying about security problems that result from it. If you don't feel you have enough control over your iPhone without jailbreaking, why don't you sell it and get an Android phone?

  2. Thomas Wolf

    Not really a weakness in ApplePay

    I don't see either attack as a weakness in ApplePay: (1) if you jailbreak your phone, you get what you get - you can't blame the maker of your front-door lock for a break in that occurred because you left the back door open. (2) your article says that Apple states a cryptogram should only be used once. If vendors re-use them for convenience, that to me is not a weakness in ApplePay per se, but a weakness in its implementation.

    The second attack reminds me of an early 'weakness' in ApplePay: because vendors weren't confirming ApplePay card registrations with the owners, criminals managed to register stolen cards with ApplePay on stolen phones and use ApplePay to make purchases. That wasn't an ApplePay weakness either - it was a weakness in the card vendor's protocols.

    1. DougS Silver badge

      Re: Not really a weakness in ApplePay

      Yeah, the only weakness identified here is a weakness in the end user (jailbreaking without understanding that it compromises security so stuff like Apple Pay should not be used) and a weakness in vendors taking shortcuts.

      No matter how secure is a system is, it can't be made security against those who are stupid or incompetent. Now maybe they can protect against incompetent vendors by telling them "after date X Apple Pay will refuse to work with vendors that allow re-use of cryptograms" and IMHO they should protect against jailbreaking by disabling Apple Pay if the user has jailbroken his phone.

      Typical alarmist researchers (and Reg headline writers) advertising a flaw that's not really one...

    2. Mark 65

      Re: Not really a weakness in ApplePay

      The weakness in the system is this

      The first step in the second attack is for hackers to steal the payment token from a [targeted] victim's phone. To do that, they will use public Wi‑Fi, or offer their own 'fake' Wi‑Fi hotspot, and request users create a profile.

      Stupid squared essentially. Anyone who thinks to themselves "that's a handy free hotspot that wants me to do X" and partake gets everything they deserve. If people want to use technical devices without understanding the consequences then fine, but you will get fvcked in the long term. A little self education or even common sense on this front goes a long way.

      1. DougS Silver badge

        Re: Not really a weakness in ApplePay

        I saw something very interesting along that vein today. In my corporate email today I received a notice that I had a "voicemail". If I hadn't installed a new collaboration tool a couple days ago I would have assumed it was spam, but it had me going for a minute.

        After looking at the domain I decided it was probably some sort of malware, so I hovered over a couple links and did some googling and found it was a company that forges phishing emails for companies to test their employees. When I scrolled to the bottom of the email (a lot of whitespace in the way) there was a link to tell the sender you figured it out :)

        If there were more things like this that try to catch people and tell them "you were just fooled, this was only a test but next time it could be real" if they clicked on the 'malware' maybe it would educate more people. It is at least worth a try, so I was encouraged to see this email today. I suspect it will catch a lot of people, especially if they have timed it to go out after they install the new collaboration tool you think "did that give me some sort of voicemail box I didn't know about?"

        1. This is my handle
          Joke

          Re: Not really a weakness in ApplePay

          I wonder where the 2nd link *really* goes? :-)

  3. Blotto Silver badge
    Holmes

    MiM attack

    dismissing the first attack because it requires a user to circumvent the built-in security of the device, like others have mentioned, blaming the front door lock when the back door is wide open.

    The second attack requires the phone to connect to an unscrupulous wifi network who's owners can then perform a man in the middle attack while the phone user is makeing an internet transaction paying via apple pay.

    you'd hope the iphone would complain about the MiM cert not matching Apples but as that is the point of MiM attacks (masquerading as a CA authorised to validate certs) then that's why that gets through.

    is the onus then on Apple to ensure token replay is not tolerated?

    the token is meant to be meaningless once used so i'm really surprised a replay is tolerated when the token can just easily be regenerated from the legitimate source.

    1. DougS Silver badge

      Re: MiM attack

      Well Apple instructs vendors not to re-use cryptograms, but if some are then Apple should alter the software to check for that and refuse to process a transaction that re-uses a cryptogram. Also warn vendors that they'll do internal checks to see if they re-use cryptograms and disable any who aren't compliant after date X, just to be sure.

      It should be on the vendor, but to the extent Apple can protect stupid vendors from themselves, they should. If for no other reason to avoid headlines like this article's.

  4. whoseyourdaddy

    Now you have a reason to wait until after you bought your food to connect to any random WiFi.

    1. katrinab Silver badge

      I think this is Apple Pay for in-app purchases rather than contactless Apple Pay, which can be done without a network connection.

      Typical use case would be ordering a taxi on an app and paying the fare by Apple Pay. Addison Lee has this facility, I guess Über also does this, but I've never used them.

  5. Anonymous Coward
    Anonymous Coward

    "As the delivery information is sent in cleartext, without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions."

    Yeah, that sounds like a massive screwup.

    Got to hope they can change away from using cleartext without having to change chips.

    1. Snowy Silver badge
      Coffee/keyboard

      While not good practice sending the cryptogram in cleartext would not be a problem if it only used once.

      I am surprised you can reuse the cryptogram I assume it gets verified by the Applepay server each time it is used, so surely a second use would be rejected. Which brings to mind how long is the cryptogram valid for?

      1. DougS Silver badge

        I thought I read once they are valid for five minutes, to allow for network delays and potential retransmission.

        Regardless, I'll bet the Apple Pay contract with the vendor requires that they follow Apple's security guidelines, and re-using cryptograms is against their guideline. So the vendor is almost certainly liable for the multiple charges, not Apple (and of course not the user)

      2. Thomas Wolf

        "..I assume it [cryptogram] gets verified by the ApplePay server..." - there is no ApplePay server anywhere in an ApplePay transaction.

  6. Sub 20 Pilot

    NFC payments in general

    Personally I don't think people will have to go to any great lengths to steal credit / cash from most of the public in this way. For the last few years since the upsurge in NFC credit cards and the various mobile pay services I can sit in my friend's shop and watch as about 95% if not more of customers come in and pay for fuel, fags, booze, other miscellaneous stuff on a contactless card or phone and will say ''I don't ant the receipt.''

    Fucking mind boggling stupidity in my opinion. Why give the banks and card providers any more reason not to credit you a disputed claim for a fraudulent transaction ?

    With this kind of stupidity in the majority it can surely only be a matter of time before someone realises that they have been stung somewhere and then realises that they can't do a thing about it. Or is it just the hipster morons with too much money / rich parents that are doing this and not really caring.

    The user base I see are usually the teenagers / early 20's lot who in general seem to have no clue about reality, aided by parents who seem to fund their every whim. Others are older and seem a bit unsure when using the technology but do it anyway as it is the in thing to do maybe.

    I have long given up my 'good samaritan' bit, or interfering git as most of them seem to think by advising them to at least keep a receipt of the transaction but then again for years they have probably considered me as some sort of gibbering fool when I tell them what the odds of winning the lottery against getting killed by tobacco products are..

  7. Anonymous Coward
    Anonymous Coward

    It's late...

    You lost me there. How do I keep a receipt for a fraudulent transaction?

  8. simon gardener

    count me in the sceptical group when it comes to jailbreaking. i know a lot of people with iPhones and don't know a single one who has in years. I'd be staggered if 20% of the people I know who own iPhones had heard of the concept of jailbreaking their phones.

  9. Tree

    Don' trust them

    Never pay with a connected device. That's the only way to keep someone from stealing from you.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020