back to article Revealed: How to steal money from victims' contactless Apple Pay wallets

Apple's digital wallet Apple Pay will pay whatever amount is demanded of it, without authorization, if configured for transit mode with a Visa card, and exposed to a hostile contactless reader. Boffins at the University of Birmingham and the University of Surrey in England have managed to find a way to remove the contactless …

  1. Tron

    A better solution...

    ...would be the global adoption of a Suica style pre-pay card for transport and other smaller payments.

    Smartphones are unreliable. Cards just work. They cost less and require no batteries.

    1. katrinab Silver badge
      Paris Hilton

      Re: A better solution...

      Visa Debit *is* a Suica-style pre-pay card for transport and other smaller payments. At least from the end-user perspective.

      Note that this vulnerability only works on Visa, not Mastercard.

      1. bazza Silver badge

        Re: A better solution...

        No, Visa Debit is nothing like Suica. Visa Debit is spending directly from your bank account, and will not stop until your bank says no. Suica is topped up and, once empty, stops. The difference? You can't go overdrawn with Suica...

        1. katrinab Silver badge
          Paris Hilton

          Re: A better solution...

          You can have a separate bank account with a small balance in it.

          1. Ken Moorhouse Silver badge

            Re: a separate bank account with a small balance in it

            With a nil-overdraft limit on it.

            ===

            Question (as I never use contactless*, never mind Apple, etc. Pay): Doesn't the Credit Card Statement have an indicator showing transactions that have been made via non-PIN means? If so, the Bank should have validation procedures in place to reject transactions over the maximum that have the flag set. ISTR this was on the list of Contactless safeguards when the Banks were trying to persuade people to use the facility.

            * For reasons that this incident makes obvious.

    2. tip pc Silver badge

      Re: A better solution...

      with Express Pay, an iphone that has shutdown due to low battery can still be used for paying for travel.

      https://support.apple.com/en-gb/guide/security/sec90cd29d1f/web

    3. Ken Moorhouse Silver badge

      Re: the global adoption of a Suica style pre-pay card

      TfL already have one... The Oyster Card.

      They can't possibly phase that out as concessionary travel in the TfL Zone area depends on it. Can they? Oh dear.

      1. bazza Silver badge

        Re: the global adoption of a Suica style pre-pay card

        I think that they have changed top up options, but have said there's no plan to get rid of it. I'm sure there are some nuances that suggest inconsistencies between the acts and statements...

        Oyster is not quite like Suica. Suica became a way of travelling and also a way of buying coffee, newspapers, etc in and around stations, and spread out from there. It filled a void in a society which, at the time, was very heavily cash oriented. There was a similar but separate scheme in Osaka, now merged.

        Whereas Oyster AFAIK is only for travel.

        Suica got built in to Japanese mobile phones a long time ago. When The West was developing NFC for phones, etc, it was basically replicating the work already done by the Japanese and Suica. And we screwed it up; early NFC in the west was far too slow for things like ticket gates (something Oyster got very right). And flat battery iPhones being unusable for payment means we're still screwing it up; Suica phones never had that problem.

      2. katrinab Silver badge
        Meh

        Re: the global adoption of a Suica style pre-pay card

        You can set up a contactless account. And there is no technical reason why TfL couldn't add your concessionary travel rights to that account, and bill you less or nothing at all if you use a card linked to that account. It would take a lot of work obviously, but it isn't an impossible task.

  2. Winkypop Silver badge
    Holmes

    Colour me old fashioned

    Relying only on one’s phone seems like a major and single point of failure.

    1. DS999 Silver badge

      Re: Colour me old fashioned

      People must CHOOSE to rely only on their phone. Unless you choose to bring no cash and no cards with you, you will have alternatives.

      Even if you are willing to accept the possibility you are moneyless if your phone is lost or broken that's really only a feasible choice if you know exactly where you're going, i.e. when I go to the grocery store I don't bother to grab my wallet because I know they take Apple Pay. You can't rely on that in general, and probably won't be able to for many years.

      1. alain williams Silver badge

        Re: Colour me old fashioned

        if your phone is lost or broken

        or run out of battery - as happened to one unfortunate who then received a fine when unable to prove to a ticket inspector that he had paid for the train journey.

        1. Dr Paul Taylor

          Re: Colour me old fashioned

          Yes, I saw exactly this happen. Moreover, the ticket inspector refused to identify herself, with the excuse that she had left her staff id card at home that day.

          1. Irongut

            Re: Colour me old fashioned

            Could she not remember her name without her ID card?

            1. Anonymous Coward
              Anonymous Coward

              Re: Colour me old fashioned

              Probably not - the procedure for remembering her name was written on the back of the staff card ;-)

              1. Ian Johnston Silver badge

                Re: Colour me old fashioned

                A lot of ticket inspectors use false names, presumably with the agreement of their companies. I have encountered "Simon de Montfort", for example.

                The trick is to ask them for the "headcode" of the train, the digit-letter-digit-digit code which identifies the service and, therefore, them. If they are not behaving properly they HATE being asked that, not least because it sounds as if you know what you're talking about.

                When a Virgin trains train manager refused to give me his name or the headcode - some years ago - I ended up with a fulsome apology and two first class return tickets to anywhere.

          2. This post has been deleted by its author

          3. JimboSmith Silver badge

            Re: Colour me old fashioned

            Yes, I saw exactly this happen. Moreover, the ticket inspector refused to identify herself, with the excuse that she had left her staff id card at home that day.

            This happened to me on a bus where I was sitting at the front of the upper deck. A lady of more senior years than myself ascended the stairs. She was dressen in jeans with a hideous pink sweater just visible underneath her coat. She asked to see my ticket or pass which I refused point blank to show her. She was unhappy with this and asked if I was refusing to which I said "Yes". She asked for my name/address and I told her she wasn't getting those either.

            "So to confirm you're refusing to show me your travel documents or give me your identity is that correct?"

            "Yes!"

            She then yelled "George" and a bloke came up the stairs.

            "He's refusing to show me his pass or give me his identity."

            I said to the bloke "That's absolutely correct but would you like to see my pass?"

            She started to say something and I cut her off.

            "You see you're wearing your ID visibly on your jacket whereas this lady has shown me nothing like that and I've no idea who she is. I don't just show my pass to anyone!"

            "George looks at her and says "He's right, you're supposed to have your ID out otherwise he doesn't have to show you anything"

            Her response was rather terse and bitchy saying that she didn't do this for fun in case I wasn't aware. She then got her ID out and put it

            If you're not aware you can find out train headcode details on sites like realtimetrains.co.uk

        2. hoola Silver badge

          Re: Colour me old fashioned

          As it should be, the terms & conditions on my daughter's rail card and season ticket are that you have to have a working, charged mobile phone if you use the e-ticket so that it can be inspected.

          I see no problem with that. Okay so there are the arguments that you have unexpectedly run out or it has failed/crashed, it does not change the T&Cs for travelling.

          If I lose my paper ticket then I am sunk. the same if I forget a paper season ticked. If I have a paper ticket that is supported with a digital travel card, then I have to have the digital card available.

        3. Rob Telford

          Re: Colour me old fashioned

          However, one of the benefits of Apple's Express Transit scheme (which is the feature under attack here) is that you can continue to use it to prove you have paid for your bus or tube fare for five hours after your phone battery has died

          https://support.apple.com/en-gb/guide/security/sec90cd29d1f/web

          Of course, if you bought mainline railway tickets through The Trainline or some such, they won't benefit from this.

        4. Muscleguy Silver badge

          Re: Colour me old fashioned

          I have my, prepaid, bus tickets on my phone, it’s cheaper and faster boarding. My old phone’s battery was very unreliable so I bought a little charging brick which lives in my bag. I’ve kept it with my new phone with therefore new battery. Used it once. I can charge my phone at work if it’s running low but it’s my backup. The brick was something like £15, not a lot. Cable can be used to both charge the phone and the brick by reversing it.

          Well worth having when facing that situation. Mind you drivers here in Dundee will let you on while you charge your phone, paying next time it stops. Can’t see that happening in London.

          The ticket app puts a hash square up when presenting it for travel which is read by the reader on the bus which also reads paper tickets. You can pay with a debit/credit card too though that is dearer than using the app. Day ticket for eg costs £3.80 bought cash or card but I only pay £3.60. I save something like £10 on my monthly pass by doing it on the phone. No to be sniffed at.

  3. Ace2 Bronze badge

    Looks like this can be disabled

    Settings -> Wallet & Apple Pay -> Express Transit Card -> None

    Never used it though, I’ve no idea if you can still pay at a transit terminal without it.

    1. katrinab Silver badge
      Paris Hilton

      Re: Looks like this can be disabled

      Yes you can, but you have to use face-id or touch-id as appropriate to make the payment. Just like people did before Express Transit was introduced as a feature, or like you have to do everywhere else that isn't a transit payment terminal, or indeed at a ticket office or ticket machine.

      If you have a touch ID phone, this is absolutely not a problem. Just set your default card as the one you want to use, and rest your finger on the touch ID sensor as you bring it towards the reader. Face ID is a bit more of a pain though.

      1. Neil Barnes Silver badge

        Re: Looks like this can be disabled

        I reckon the best face recognition on this type of thing involves faces of HM The Queen or Ben Franklin. Though in the EU we have buildings instead...

        /me does nothing with money on a phone.

      2. Robert Helpmann??
        Childcatcher

        Re: Looks like this can be disabled

        Sounds like a "feature" just like a lot of other bugs are features. Also, making life easier is typically at odds with making life secure. This is just another instance where this is true.

  4. Headley_Grange Silver badge

    No Problem

    Visa and Apple were more forthcoming to another paper. Visa basically said it would be impractical to do this in the real world. Apple said that it was Visa's problem.

    Apple made their position clear by stating “In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.” Call me a cynic, but I bet that when you need it, this zero-liability policy is worth as much as its name.

    1. BrownishMonstr

      Re: No Problem

      Last year I rang Halifax and told them someone's taken hundreds of pounds from my account, and I have my card right with me, I got a refund for each payment. I suspect that would be Visa's zero-liability policy, as opposed to my bank.

    2. John Robson Silver badge

      Re: No Problem

      I always assumed that zero liability was for visa, not customers.

    3. OldSoCalCoder

      Re: No Problem

      Zero liability just means a continuation of high fees to the merchant that takes Visa credit cards. Nothing's free. Unless you're a carder, where it appears crime does pay.

    4. Dave314159ggggdffsdds Silver badge

      Re: No Problem

      Don't be daft. Visa don't pay out to merchants until they're sure the transactions are legit. It's no skin off their nose to reverse them before it happens.

      1. Ken Moorhouse Silver badge

        Re: Visa don't pay out to merchants until they're sure the transactions are legit

        Chargebacks can be made long after the event (months). A couple of my clients have been badly stung by this to the tune of thousands of pounds.

  5. Anonymous Coward
    Anonymous Coward

    Need a stolen powered on iphone

    How many iphone thefts are done by people with the skillset to set up MITM attacks...

    Oh and have Apply pay enabled

    Oh and haven't de-activated their associated bank card as soon as their phone is stolen

    Another theoretical vulnerability makes it into the zeitgeist...

    1. katrinab Silver badge

      Re: Need a stolen powered on iphone

      1. Probably enough people. They could buy a kit from some place to do it.

      2. Quite a lot of people

      3. Also quite a lot of people, as it takes time after the theft to do these things, probably in the order of a few hours minimum.

    2. heyrick Silver badge

      Re: Need a stolen powered on iphone

      "Another theoretical vulnerability makes it into the zeitgeist..."

      Ah, but there's money to be made here. So expect iBling thefts to rise, and the bad guys to have "a device" that makes this thieving possible. They don't have to understand how it works, only how to use it. So...

    3. Anonymous Coward
      Anonymous Coward

      Re: How many iphone thefts are done by people with the skillset to set up MITM attacks...

      How many iPhone thieves know someone who knows how to crack phones?

      How many commuters are lazy enough to enable a feature like this to save them having to touch their phones?

      How many commenters are too lazy to read to the bit where it says they could use this technique against phones that hadn't been stolen?

      There's no rush for you to share your wisdom, how about you think it through next time?

      1. John Brown (no body) Silver badge

        Re: How many iphone thefts are done by people with the skillset to set up MITM attacks...

        "How many iPhone thieves know someone who knows how to crack phones?"

        Very few, obviously. But then, how many car thieves knew someone who could build a remote replay attack device. But they did know someone who could sell them one and show them how to use it.

        Once a vuln is found and somone make s a device to make use of it, you can be sure someone will be building and selling the devices. That can be very lucrative and relatively safe. Just building and selling the devices might even be legal in some circumstances.

    4. OldSoCalCoder

      Re: Need a stolen powered on iphone

      How long is it going to take to de-activate your card if the thing that lets you know there's fraud happening has been stolen? I.e., they've stolen your phone. Now go home, log in to your bank - oh, wait, no one needs home computers anymore, do they? Everything can be done on your phone, can't it? Where's that banking app that lets me cancel my card? Ah, on my stolen phone.

      1. Anonymous Coward
        Anonymous Coward

        Re: Need a stolen powered on iphone

        Indeed, since PSD2 I can't even log on to my bank's website from my laptop without confirmation on my phone, which pretty much encouraged me to do day-to-day transfers on my phone, against my wish.

        Then when I upgraded to a new phone, I found one bank would let me use the old phone to activate the new phone (but still no good if the old phone was stolen), and the other bank required me to scan a piece of paper with a master code graphic on it. Since this paper gives anyone with it the power, I had shredded it after using it about 3 years earlier, in case anyone broke into the house. I had to request a new code to be delivered by post, plus admin time, thus I was without banking of any kind for a week.

        All in all not very secure if someone else has got your phone and possibly wallet too.

        1. Muscleguy Silver badge

          Re: Need a stolen powered on iphone

          My UK bank only requires a confirmation code when making payments to new recipients. So I can pay my CC for eg without needing it.

          My NZ bank texts me a code to simply log into it. Mind you when I was last in NZ, debit card expired, I went into a branch near Auckland airport presented my passport, was issued with a card there and then, they have card impress machines and 20min later it was active. It was a nice day so I sat on a bench in the sun.

      2. hoola Silver badge

        Re: Need a stolen powered on iphone

        And that is the interesting point as there is more reliance on a single device.

        The authorisation text, the app to cancel things, the MFA app, all on the same phone (regardless of type).

        The issue is that so many of the younger generations just accept that the phone has become the do it all utility that can provide any service you need.

        The security is a minor consideration over convenience.

        1. Anonymous Coward
          Anonymous Coward

          Re: all on the same phone

          ... well, there's a reason the acronym is MFA ... i.e. "Mobile Fone Authentication" :-/

      3. Anonymous Coward
        Anonymous Coward

        Re: Need a stolen powered on iphone

        @OldSoCalCoder

        You use a phone box. Also known as, if you live around my way, a bog with a telephone in it.

        But you are forgetting something. It's going to take quite some time to get into the thing. If at all.

        Is it a thing where people rely entirely on their phone and don't have a computer?

        But, having said all that, I don't know anyone who doesn't carry another telephone with them, just for such an emergency. And NO, if a thief steals your phone, they are not going to hang around and search you just on the off chance that you may have another one with you.

        But you knew all this already didn't you...

        1. John Brown (no body) Silver badge

          Re: Need a stolen powered on iphone

          "But, having said all that, I don't know anyone who doesn't carry another telephone with them, just for such an emergency. And NO, if a thief steals your phone, they are not going to hang around and search you just on the off chance that you may have another one with you."

          Did you just contradict yourself? Everyone you know has two phones. No thief knows that everyone has two phones.

          Having said that, most crims use more than one phone. They (or Hollywood) likes to use the term "burner phone"

  6. Anonymous Coward
    Anonymous Coward

    ---How many iphone thefts are done by people with the skillset to set up MITM attacks...

    You don't seem to be aware that hacking "How-To"s are sold for peanuts on the Dark Web

    ---Oh and have Apply pay enabled

    227 million Apple Pay users worldwide according to DMR Business Statistics

    ---Oh and haven't de-activated their associated bank card as soon as their phone is stolen

    This isn't a stolen phone scenario - more like using Apple Pay with a compromised card reader at a restaurant.

    The Zeitgeist lesson here is that once again Apple has shown it has zero interest in fixing vulnerabilities in its hardware and OS, even at the potential significant cost to it's loyal customers. Joined in shame by Visa.

    1. Anonymous Coward
      Anonymous Coward

      Given it does not impact Amex and Mastercard but is instead only Visa is this an Apple vulnerability? Sounds like it is a Visa one. Could Apple mitigate at all? Yes, cap express transit transactions in value and even number. i.e. similar to normal contactless cards that have no auth mechanism.

      1. John Brown (no body) Silver badge

        As per the article, it's a partial vulnerability on Apples part, but the vuln only affects Visa transactions because it's also a partial Visa vuln. Neither alone would be an issue, but when put together in the same device, become one which can be attacked successfully.

  7. Nick Pettefar

    I didn't know that Apple made Android phones!

    "The protocol is meant to protect against attackers using unmodified devices, and Visa believes that rooting an Android smartphone is a difficult process, which requires high technical expertise."

    1. Anonymous Coward
      Anonymous Coward

      RTFA

      You didn't read the article. That portion is talking about a separate Visa vulnerability.

      "The academics also developed a separate attack against the Visa-L1 protocol, intended as a defense against relay schemes of this sort."

      Keyword: also

      1. Anonymous Coward Silver badge

        Re: RTFA

        They also used a rooted Android phone as the card reader.

  8. Duffaboy
    FAIL

    Neither Apple nor Visa responded to requests for comment

    Sums it all up in that sentence alone.

    1. Anonymous Coward
      Anonymous Coward

      Re: Neither Apple nor Visa responded to requests for comment

      Well, 50% of the potential respondents won't respond to El Reg requests for comment prior to the heat death of the universe anyway. Not sure what Visa's take on it is...

  9. Eclectic Man Silver badge

    Hard Currency

    > “Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely," said Radu.

    Not entirely a surprise. If either Apple or Visa admitted liability, they would then be on the hook for compensating those out of pocket. The next port of call is to blame those who defined the protocol standards.

    Maybe money will start making a comeback. After all, in the HHGTTG, Roosta only accepted 'hard currency': "If you can't scratch glass with it, I won't accept it."

    1. Anonymous Coward
      Anonymous Coward

      Re: If either Apple or Visa admitted liability, ...

      They don't have to admit liability for them to decide to just adjust their systems to make it harder. They could say they do it not because it's their fault, but "just to be a good corporate citizen" (or at least a less crappy one)

  10. Loyal Commenter Silver badge

    How long before

    We start seeing crims rooting cheap burner android handsets, setting them up to do this, and taping them underneath / to the sides of gates in tube stations, or indeed anywhere else where someone has to squeeze through a small gap and their phone might come into range..

    If there's money to be made, don't underestimate the ingenuity of criminals

    1. Steve Graham

      Re: How long before

      I have an "educational" card skimming app on my Android phone (a Nokia 5). It only works if the card is physically touching the back of the phone, so the device would be useless for nefarious purposes. Maybe other phones have better hardware.

      1. Loyal Commenter Silver badge

        Re: How long before

        I suspect it wouldn't be difficult to take the back off a cheap android phone with a plastic case, and solder in a high gain antenna of some sort if you know what you're doing. It would only take one hardware hacker to work out how to do this and post it up and the technique is in the wild.

  11. philmcc

    Turn if off

    Settings, Wallet and Apple Pay, Express Travel Card, None

    1. Jan 0

      Re: Turn if off

      To be exact, you need a tick by the "None".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022