ApplePay is considered one of the most secure payment tools today. But that didn’t prevent hackers from finding a way to drain users’ bank accounts using the system.
According to UK researchers, fraudsters have discovered a security flaw in Apple Pay that allows them to make contactless payments from someone else’s iPhone.
Members of the group from the University of Birmingham and the University of Surrey published a paper describing how hackers exploit security flaws.
What is ApplePay?
ApplePay is Apple’s official payment service, integrated with the iPhone (iOS) and the company’s other devices.
The platform is compatible with credit and debit cards from many banking institutions worldwide with the proposal to facilitate purchases.
Through the digital wallet application, it’s possible to make payments in stores, restaurants, and other establishments only with Touch ID or Face ID authentication, without needing your physical card.
In addition to using your iPhone or Apple Watch to make physical payments, Apple Pay is also compatible with numerous apps and websites, making things easier even for those using an iPad or Mac.
The Dangers of Using Tap and Pay Apps
But even with so many security measures, there are still risks, mainly because of the system’s popularity.
It is increasingly common to see people using Apple Pay for payment, from retail purchases to paying for public transport.
The reason for this popularity is simple: convenience.
Digital wallets mean people no longer have to leave the house with credit cards or cash. Instead, everything they need to make a purchase is already built into their mobile devices.
But this convenience is also its biggest weakness. Despite being one of the safest payment methods, fraudsters exploited some shortcomings.
We’ll see more about that below.
How Did Hackers Drain Bank Accounts Using Apple Pay Apps
According to the researchers, the hackers managed to drain Apple Pay users’ bank accounts thanks to Express Transit’s feature.
Apple first introduced the tool in iOS 12.3; with it, users can quickly pay for public transport trips with a digital wallet app.
But it doesn’t need to validate those transactions with Face ID, Touch ID, or a password. And with that convenience came the security flaw.
Hackers Use Express Transmit to Steal Money From Accounts
As the researchers explain, transport ticket readers, for example, transmit a non-standard sequence of bytes that can bypass the iPhone lock screen.
By mimicking a ticket reader, the researchers could trick Apple Pay into processing contactless payments — even if they only managed to do that with Visa cards.
The researchers used a reader to make fraudulent payments of any amount from a locked iPhone. They tested up to £1000.
In other words, it would be possible for hackers to use it in any other establishment and transfer the money directly to their accounts.
Likewise, the researchers warn that an attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth thousands of dollars without unlocking the phone.
But attacks are more complicated than that; The researchers explain that specific signals need to be set.
Hackers must modify some bits to allow offline data authentication for online transactions used on readers that may have intermittent connectivity (e.g., transit system entries).
What do Apple and Visa Say About These Attacks?
These attacks are only possible because of the security flaws between Apple and Visa systems. Therefore, they already recognize how serious the problem is. However, they still haven’t agreed on which one should fix the issue.
Apple said that this is a problem with the Visa system. Still, Visa representatives don’t believe this type of fraud occurs due to the multiple layers of security that exist and ensure that Visa’s zero liability policy protects users in the event of an unauthorized payment.
Visa added that their cards connected to mobile wallets are secure – and cardholders should continue to use them as usual. Visa said they take all security threats seriously and constantly develop features to protect cardholders.
What To Do if a Hacker Stole Your Money Using Apple Pay
As much as Apple guarantees the security of those who use Apple Pay, there are proven flaws in the system that hackers can target to drain users’ bank accounts.
If you had money taken from your account, here’s what you can do:
- Contact your bank account manager right away and explain what happened;
- Contact your credit card issuer and ask them to block and deny any future transactions;
- Report to the police with as much information as possible (take screenshots, save any phone messages and receipts);
- Get back to your bank account manager with the police file report in your hands and open a dispute against any illegal transactions made in your name.
Note that those steps above can change in a case-by-case scenario. For example, if your bank is fully digital, you must contact their support over the phone or by email.
In addition, you can call the bank or the card issuer and request the suspension of Apple Pay prepaid debit and credit cards. They will have to refund the amount that was improperly spent (as long as the evidence points out that you’ve been hacked).
Precautions to Prevent Hackers From Draining Your Accounts Using Apple Pay
Big tech companies like Apple take security very seriously. They even pay hackers to find bugs and security breaches.
But still, it’s possible to have your iPhone hacked by fraudsters. And that is why you must do everything you can to prevent that. For example:
- Keep apps hidden inside password-protected folders;
- Never store your passwords on the device;
- Activate “Find iPhone” because if your device is lost, it can put Apple Pay in lost mode and cancel the cards immediately;
- Turn on biometric authentication such as fingerprint or facial recognition to add an extra layer of protection;
- Keep your iOS system constantly updated;
- Use a password manager app.
In the case of the Apple Pay app, it does not store your payment data and uses built-in security features. In addition, you need to set a code on the device, which can be Face ID or Touch ID.
Many stores today are developing technology or even applications that use two-factor authentication.
Such features add extra security layers, as the user needs to provide another way of authentication other than the password.
Security at The Time of Purchase
Yes, iPhones and iOS are exceptionally secure – but not unhackable. They’ve had their fair share of security exploits in the past and suffered some pretty big safety breaches.
But since most services offer an iOS app, your iPhone is just another point of contact for everything from your bank account to your cloud storage.
So, if you do your best to implement better iOS protection (and overall, be smart and understand how fraud happens), your data and accounts will be more secure in case your phone gets hacked.
#iphonehack, #applehack
