Revealed: How to steal money from victims' contactless Apple Pay wallets Apple's digital wallet Apple Pay will pay whatever amount is demanded of it, without authorization, if configured for transit mode with a Visa card, and exposed to a hostile contactless reader. Boffins at the University of Birmingham and the University of Surrey in England have managed to find a way to remove the contactless …
With a nil-overdraft limit on it.
===
Question (as I never use contactless*, never mind Apple, etc. Pay): Doesn't the Credit Card Statement have an indicator showing transactions that have been made via non-PIN means? If so, the Bank should have validation procedures in place to reject transactions over the maximum that have the flag set. ISTR this was on the list of Contactless safeguards when the Banks were trying to persuade people to use the facility.
* For reasons that this incident makes obvious.
I think that they have changed top up options, but have said there's no plan to get rid of it. I'm sure there are some nuances that suggest inconsistencies between the acts and statements...
Oyster is not quite like Suica. Suica became a way of travelling and also a way of buying coffee, newspapers, etc in and around stations, and spread out from there. It filled a void in a society which, at the time, was very heavily cash oriented. There was a similar but separate scheme in Osaka, now merged.
Whereas Oyster AFAIK is only for travel.
Suica got built in to Japanese mobile phones a long time ago. When The West was developing NFC for phones, etc, it was basically replicating the work already done by the Japanese and Suica. And we screwed it up; early NFC in the west was far too slow for things like ticket gates (something Oyster got very right). And flat battery iPhones being unusable for payment means we're still screwing it up; Suica phones never had that problem.
You can set up a contactless account. And there is no technical reason why TfL couldn't add your concessionary travel rights to that account, and bill you less or nothing at all if you use a card linked to that account. It would take a lot of work obviously, but it isn't an impossible task.
People must CHOOSE to rely only on their phone. Unless you choose to bring no cash and no cards with you, you will have alternatives.
Even if you are willing to accept the possibility you are moneyless if your phone is lost or broken that's really only a feasible choice if you know exactly where you're going, i.e. when I go to the grocery store I don't bother to grab my wallet because I know they take Apple Pay. You can't rely on that in general, and probably won't be able to for many years.
A lot of ticket inspectors use false names, presumably with the agreement of their companies. I have encountered "Simon de Montfort", for example.
The trick is to ask them for the "headcode" of the train, the digit-letter-digit-digit code which identifies the service and, therefore, them. If they are not behaving properly they HATE being asked that, not least because it sounds as if you know what you're talking about.
When a Virgin trains train manager refused to give me his name or the headcode - some years ago - I ended up with a fulsome apology and two first class return tickets to anywhere.
This post has been deleted by its author
Yes, I saw exactly this happen. Moreover, the ticket inspector refused to identify herself, with the excuse that she had left her staff id card at home that day.
This happened to me on a bus where I was sitting at the front of the upper deck. A lady of more senior years than myself ascended the stairs. She was dressen in jeans with a hideous pink sweater just visible underneath her coat. She asked to see my ticket or pass which I refused point blank to show her. She was unhappy with this and asked if I was refusing to which I said "Yes". She asked for my name/address and I told her she wasn't getting those either.
"So to confirm you're refusing to show me your travel documents or give me your identity is that correct?"
"Yes!"
She then yelled "George" and a bloke came up the stairs.
"He's refusing to show me his pass or give me his identity."
I said to the bloke "That's absolutely correct but would you like to see my pass?"
She started to say something and I cut her off.
"You see you're wearing your ID visibly on your jacket whereas this lady has shown me nothing like that and I've no idea who she is. I don't just show my pass to anyone!"
"George looks at her and says "He's right, you're supposed to have your ID out otherwise he doesn't have to show you anything"
Her response was rather terse and bitchy saying that she didn't do this for fun in case I wasn't aware. She then got her ID out and put it
If you're not aware you can find out train headcode details on sites like realtimetrains.co.uk
As it should be, the terms & conditions on my daughter's rail card and season ticket are that you have to have a working, charged mobile phone if you use the e-ticket so that it can be inspected.
I see no problem with that. Okay so there are the arguments that you have unexpectedly run out or it has failed/crashed, it does not change the T&Cs for travelling.
If I lose my paper ticket then I am sunk. the same if I forget a paper season ticked. If I have a paper ticket that is supported with a digital travel card, then I have to have the digital card available.
However, one of the benefits of Apple's Express Transit scheme (which is the feature under attack here) is that you can continue to use it to prove you have paid for your bus or tube fare for five hours after your phone battery has died
https://support.apple.com/en-gb/guide/security/sec90cd29d1f/web
Of course, if you bought mainline railway tickets through The Trainline or some such, they won't benefit from this.
I have my, prepaid, bus tickets on my phone, it’s cheaper and faster boarding. My old phone’s battery was very unreliable so I bought a little charging brick which lives in my bag. I’ve kept it with my new phone with therefore new battery. Used it once. I can charge my phone at work if it’s running low but it’s my backup. The brick was something like £15, not a lot. Cable can be used to both charge the phone and the brick by reversing it.
Well worth having when facing that situation. Mind you drivers here in Dundee will let you on while you charge your phone, paying next time it stops. Can’t see that happening in London.
The ticket app puts a hash square up when presenting it for travel which is read by the reader on the bus which also reads paper tickets. You can pay with a debit/credit card too though that is dearer than using the app. Day ticket for eg costs £3.80 bought cash or card but I only pay £3.60. I save something like £10 on my monthly pass by doing it on the phone. No to be sniffed at.
Yes you can, but you have to use face-id or touch-id as appropriate to make the payment. Just like people did before Express Transit was introduced as a feature, or like you have to do everywhere else that isn't a transit payment terminal, or indeed at a ticket office or ticket machine.
If you have a touch ID phone, this is absolutely not a problem. Just set your default card as the one you want to use, and rest your finger on the touch ID sensor as you bring it towards the reader. Face ID is a bit more of a pain though.
Visa and Apple were more forthcoming to another paper. Visa basically said it would be impractical to do this in the real world. Apple said that it was Visa's problem.
Apple made their position clear by stating “In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.” Call me a cynic, but I bet that when you need it, this zero-liability policy is worth as much as its name.
How many iphone thefts are done by people with the skillset to set up MITM attacks...
Oh and have Apply pay enabled
Oh and haven't de-activated their associated bank card as soon as their phone is stolen
Another theoretical vulnerability makes it into the zeitgeist...
"Another theoretical vulnerability makes it into the zeitgeist..."
Ah, but there's money to be made here. So expect iBling thefts to rise, and the bad guys to have "a device" that makes this thieving possible. They don't have to understand how it works, only how to use it. So...
How many iPhone thieves know someone who knows how to crack phones?
How many commuters are lazy enough to enable a feature like this to save them having to touch their phones?
How many commenters are too lazy to read to the bit where it says they could use this technique against phones that hadn't been stolen?
There's no rush for you to share your wisdom, how about you think it through next time?
"How many iPhone thieves know someone who knows how to crack phones?"
Very few, obviously. But then, how many car thieves knew someone who could build a remote replay attack device. But they did know someone who could sell them one and show them how to use it.
Once a vuln is found and somone make s a device to make use of it, you can be sure someone will be building and selling the devices. That can be very lucrative and relatively safe. Just building and selling the devices might even be legal in some circumstances.
How long is it going to take to de-activate your card if the thing that lets you know there's fraud happening has been stolen? I.e., they've stolen your phone. Now go home, log in to your bank - oh, wait, no one needs home computers anymore, do they? Everything can be done on your phone, can't it? Where's that banking app that lets me cancel my card? Ah, on my stolen phone.
Indeed, since PSD2 I can't even log on to my bank's website from my laptop without confirmation on my phone, which pretty much encouraged me to do day-to-day transfers on my phone, against my wish.
Then when I upgraded to a new phone, I found one bank would let me use the old phone to activate the new phone (but still no good if the old phone was stolen), and the other bank required me to scan a piece of paper with a master code graphic on it. Since this paper gives anyone with it the power, I had shredded it after using it about 3 years earlier, in case anyone broke into the house. I had to request a new code to be delivered by post, plus admin time, thus I was without banking of any kind for a week.
All in all not very secure if someone else has got your phone and possibly wallet too.
My UK bank only requires a confirmation code when making payments to new recipients. So I can pay my CC for eg without needing it.
My NZ bank texts me a code to simply log into it. Mind you when I was last in NZ, debit card expired, I went into a branch near Auckland airport presented my passport, was issued with a card there and then, they have card impress machines and 20min later it was active. It was a nice day so I sat on a bench in the sun.
And that is the interesting point as there is more reliance on a single device.
The authorisation text, the app to cancel things, the MFA app, all on the same phone (regardless of type).
The issue is that so many of the younger generations just accept that the phone has become the do it all utility that can provide any service you need.
The security is a minor consideration over convenience.
@OldSoCalCoder
You use a phone box. Also known as, if you live around my way, a bog with a telephone in it.
But you are forgetting something. It's going to take quite some time to get into the thing. If at all.
Is it a thing where people rely entirely on their phone and don't have a computer?
But, having said all that, I don't know anyone who doesn't carry another telephone with them, just for such an emergency. And NO, if a thief steals your phone, they are not going to hang around and search you just on the off chance that you may have another one with you.
But you knew all this already didn't you...
"But, having said all that, I don't know anyone who doesn't carry another telephone with them, just for such an emergency. And NO, if a thief steals your phone, they are not going to hang around and search you just on the off chance that you may have another one with you."
Did you just contradict yourself? Everyone you know has two phones. No thief knows that everyone has two phones.
Having said that, most crims use more than one phone. They (or Hollywood) likes to use the term "burner phone"
---How many iphone thefts are done by people with the skillset to set up MITM attacks...
You don't seem to be aware that hacking "How-To"s are sold for peanuts on the Dark Web
---Oh and have Apply pay enabled
227 million Apple Pay users worldwide according to DMR Business Statistics
---Oh and haven't de-activated their associated bank card as soon as their phone is stolen
This isn't a stolen phone scenario - more like using Apple Pay with a compromised card reader at a restaurant.
The Zeitgeist lesson here is that once again Apple has shown it has zero interest in fixing vulnerabilities in its hardware and OS, even at the potential significant cost to it's loyal customers. Joined in shame by Visa.
Given it does not impact Amex and Mastercard but is instead only Visa is this an Apple vulnerability? Sounds like it is a Visa one. Could Apple mitigate at all? Yes, cap express transit transactions in value and even number. i.e. similar to normal contactless cards that have no auth mechanism.
> “Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely," said Radu.
Not entirely a surprise. If either Apple or Visa admitted liability, they would then be on the hook for compensating those out of pocket. The next port of call is to blame those who defined the protocol standards.
Maybe money will start making a comeback. After all, in the HHGTTG, Roosta only accepted 'hard currency': "If you can't scratch glass with it, I won't accept it."
We start seeing crims rooting cheap burner android handsets, setting them up to do this, and taping them underneath / to the sides of gates in tube stations, or indeed anywhere else where someone has to squeeze through a small gap and their phone might come into range..
If there's money to be made, don't underestimate the ingenuity of criminals
I suspect it wouldn't be difficult to take the back off a cheap android phone with a plastic case, and solder in a high gain antenna of some sort if you know what you're doing. It would only take one hardware hacker to work out how to do this and post it up and the technique is in the wild.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
