Another Apple security issue, contactless payments while phone is locked.

[Gromett]

Don't think this one will affect too many people, medium level of entry for hackers to use and suspect only viable in big cities such as London.

Researchers find Apple Pay, Visa contactless hack

An attacker could bypass the iPhone lock screen and make large payments above the contactless limit.

www.bbc.co.uk

 

[Gromett]

Apple Pay's Visa flaw risks letting hackers drain money from iPhones

Researchers exploit 'Express Travel' mode, allowing them to take money from a locked iPhone

www.telegraph.co.uk

 

[Coolcats]

Don't think this one will affect too many people, medium level of entry for hackers to use and suspect only viable in big cities such as London.

Researchers find Apple Pay, Visa contactless hack

An attacker could bypass the iPhone lock screen and make large payments above the contactless limit.

www.bbc.co.uk

Non story really: “Visa said payments were secure and attacks of this type were impractical outside of a lab.”

Whilst your headline says Another Apple security issue Apple are pretty good at dealing with security as they become known. I suspect the same lab would find similar issues with other brands.

 

[Gromett]

Non story really: “Visa said payments were secure and attacks of this type were impractical outside of a lab.”

Whilst your headline says Another Apple security issue Apple are pretty good at dealing with security as they become known. I suspect the same lab would find similar issues with other brands.

That is what you would expect visa to say. Except they proved it outside of the lab.

The problem is a combination of Apple + VISA and neither is taking responsibility.

This is not a non story, it is real but as I said originally

Don't think this one will affect too many people

 

[Coolcats]

That is what you would expect visa to say. Except they proved it outside of the lab.

The problem is a combination of Apple + VISA and neither is taking responsibility.

This is not a non story, it is real but as I said originally

There’s probably more risk of having your wallet nicked your card clones and other fraud.

Theee will always be security issues on all types computers or servers and operating systems,

The only secure system is one that is not connected to the internet or have sensitive data on it.

So as I say it’s a non issue for the majority.

^{_{Subscribers  do not see these advertisements}}

 

[Coolcats]

That is what you would expect visa to say. Except they proved it outside of the lab.

The problem is a combination of Apple + VISA and neither is taking responsibility.

This is not a non story, it is real but as I said originally

Got a portable card payment machine ? Why not place it near peoples pockets and help yourself to small payments from their cards…..That could be viewed as another plastic card security issue. This is as much a non story as the apple /visa one and in a short while any security issue will unlike the plastic card be sorted.

 

[Gromett]

Theee will always be security issues on all types computers or servers and operating systems,

You do know what I do for a living don't you?

 

[Gromett]

Got a portable card payment machine ? Why not place it near peoples pockets and help yourself to small payments from their cards

Because that won't work with this bug. Read the articles I linked.

This bug allows £1,000's to be withdrawn in one hit. even from a locked phone.

 

[The Dotties]

Thanks for the heads up Gromett.
I don’t own an iPhone, neither do I take any of your posts esp. re security with a pinch of salt.
Keep up the good work young man

 

[Coolcats]

Because that won't work with this bug. Read the articles I linked.

This bug allows £1,000's to be withdrawn in one hit. even from a locked phone.

don’t worry the banks will cover as it’s a fraudulent transaction and certainly not rife. There is more chance of fraud via your plastic card it’s a non Storey. Wouldn’t be surprised if there isn’t a similar non story on Android

^{_{Subscribers  do not see these advertisements}}

 

[Coolcats]

You do know what I do for a living don't you?

I see you read the national newspapers to get your security news.

Seriously Gromett, you work freelance in IT as far as I can see and clearly have skills, you also dislike Apple and often promote the Apple security flaws as if its the end of the world, this is a storm in a tea cup and will be fixed, any fraudulent activity will be covered by the banks and whilst you say neither is taking responsibility why would they? any fraudulent activity will result in a claim by either side.

Given your background can you imagine for one moment that 'neither' party is taking responsibility means that the flaw, wherever it lays won't be fixed.

 

[Gromett]

I see you read the national newspapers to get your security news.

Not only. I use the least technical source possible for my links. If I post from say The Hacker News it may be too technical. Although on occasion I do have to post from sites such as ARS Technica, The Hacker News and Brian Krebs because they are the original source and mainstream media has not picked it up.

Seriously Gromett, you work freelance in IT as far as I can see and clearly have skills, you also dislike Apple and often promote the Apple security flaws as if its the end of the world, this is a storm in a tea cup and will be fixed, any fraudulent activity will be covered by the banks and whilst you say neither is taking responsibility why would they? any fraudulent activity will result in a claim by either side.

I post about all OS's Devices that have security flaws. You will see I have posted, Windows ones, Android ones as well as Apple.
I do not post every bug, only ones likely to affect a member on this forum.

I said another Apple flaw in my original post because I had only just posted another Apple one very recently.

You will notice looking on this forum section that I have posted about the Western Digital exploit (which affected a lot of people on here). I have posted Firefox and Chrome issues.

I only ever post about Zero Day exploits that are in the wild. Or about urgent patches that should be installed.

Seems to me you are maybe a big fan of Apple and are getting the hump at me for mentioning a potentially serious Apple flaw.
I don't seem to recall you getting protecting about Microsoft when I posted a string of their problems?

Given your background can you imagine for one moment that 'neither' party is taking responsibility means that the flaw, wherever it lays won't be fixed.

A very big part of my job is security, and I deal at the server and network level. I am also a programmer and have implemented payment systems so understand a little bit more on this subject than the average joe on the streets.

In this case neither party is taking responsibility. The discoverers of this flaw used the responsible disclosure method. This is where you notify the manufacturers and give them 90 days to fix the bug before disclosing it publicly.
This is a really responsible measure and ensure that these things get fixed. Neither VISA nor Apple have fixed this within the time limit, nor showing any intention of doing so.

Apple are notoriously bad for their Bug Disclosure/Reward program and do not follow industry standards.

You want me to slap Apple about on here, I am more than happy to on this basis because they seriously bad at this.

But no, I didn't I just brought to everyone's attention the potential that their Apple phone in some situations can be used to clear their bank accounts while locked.

 

[Gromett]

you also dislike Apple and often promote the Apple security flaws as if its the end of the world

I just got curious if I can be accused of being biased against Apple. In the last 2 years I can see 4 security bugs against Apple and in none of them have I been negative about the company.
I have posted many more than this about Microsoft in the last 6 months.

As you can see from this post, I simply post the relevant information and a link. I don't usually do much in the way of editorialising or giving my opinion about the company or product concerned.

Seriously look at this one.

If you are on an Apple Computer/Device beware of this security issue.

There is a bug in Safari that allows criminals to fake the URL in your address bar. Be careful until it is patched. Details Here. https://thehackernews.com/2020/10/browser-address-spoofing-vulnerability.html

www.motorhomefun.co.uk

I provide this service for my regularly contracted clients. I follow all the major security news sources as well as manufacturers and software houses security briefs. If one of my clients is running a specific bit of hardware or software they will get a message similar to this post.
They in addition get the offer of any mitigating actions required.

I am always extremely careful to keep personal views out of this to avoid bias in the actions the client chooses to take so as not to be blamed if things do not go to plan for them. I follow this principle on here as well when making my security posts.

 

[Coolcats]

Not only. I use the least technical source possible for my links. If I post from say The Hacker News it may be too technical. Although on occasion I do have to post from sites such as ARS Technica, The Hacker News and Brian Krebs because they are the original source and mainstream media has not picked it up.


I post about all OS's Devices that have security flaws. You will see I have posted, Windows ones, Android ones as well as Apple.
I do not post every bug, only ones likely to affect a member on this forum.

I said another Apple flaw in my original post because I had only just posted another Apple one very recently.

You will notice looking on this forum section that I have posted about the Western Digital exploit (which affected a lot of people on here). I have posted Firefox and Chrome issues.

I only ever post about Zero Day exploits that are in the wild. Or about urgent patches that should be installed.

Seems to me you are maybe a big fan of Apple and are getting the hump at me for mentioning a potentially serious Apple flaw.
I don't seem to recall you getting protecting about Microsoft when I posted a string of their problems?


A very big part of my job is security, and I deal at the server and network level. I am also a programmer and have implemented payment systems so understand a little bit more on this subject than the average joe on the streets.

In this case neither party is taking responsibility. The discoverers of this flaw used the responsible disclosure method. This is where you notify the manufacturers and give them 90 days to fix the bug before disclosing it publicly.
This is a really responsible measure and ensure that these things get fixed. Neither VISA nor Apple have fixed this within the time limit, nor showing any intention of doing so.

Apple are notoriously bad for their Bug Disclosure/Reward program and do not follow industry standards.

You want me to slap Apple about on here, I am more than happy to on this basis because they seriously bad at this.

But no, I didn't I just brought to everyone's attention the potential that their Apple phone in some situations can be used to clear their bank accounts while locked.

Context is everything Gromett

Its like shouting FIRE FIRE FIRE when in reality no one has yet struck the match....

Apple told the BBC the matter was an issue with the Visa system.

"We take any threat to users' security very seriously," said Apple. "This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy."

The researchers said the attack might be easiest to deploy against a stolen ‌iPhone‌, although there's no evidence that the hack has been used in the wild. Visa said payments were secure and attacks of this type were impractical outside of a lab.

"Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence," said a Visa spokesperson. "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world."

The researchers told the BBC they first approached Apple and Visa with their concerns almost a year ago, but despite "useful" conversations, the problem has not yet been fixed. The researchers also tested Express Transit with Mastercard but found that the way its security works prevented the attack.

"It has some technical complexity," said Dr Andreea Radu, of the University of Birmingham, who led the research. "But I feel the rewards from doing the attack are quite high. In a few years these might become a real issue."

There is a greater risk of money being taken by your plastic card

 

[ctc]

I had several hundred stolen using my credit card details, I mentioned this in a phone shop while getting an upgrade. The young assistant demonstrated very quickly how easy it is to obtain card details and showed me on her iPhone the simplicity of the whole process. Very easy when you know how.

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

Context is everything Gromett

Its like shouting FIRE FIRE FIRE when in reality no one has yet struck the match....

I am sorry but I disagree. This is a vulnerability that only affects Apple devices. It does not affect Android for example. Hence the title is appropriate.

You will have to trust me on this. Once a vulnerability is made public it gets exploited extremely quickly. With lots of eyes on it now, there will be improvements and simplifications made making it more trivial to exploit.

To use your analogy, the match was struck as soon as this vulnerability was made public. It is now only a matter of time before things start to burn unless Apple steps up.

I have seen this chain of events happen time and time again over the decades I have been dealing with security. I have been dealing with this stuff since 1998 when I set up an internet hosting company and started being the subject of 1,000's of hack attempts per day.

Apple told the BBC the matter was an issue with the Visa system.

And yet Android devices are not affected by it. It is a problem with the interaction between apple devices and VISA. It is one that either or both of them should fix. As the public side of this is Apple, it is Apple that should take the lead on this to protect their customers.

I stand by my post. It is better to be aware of the risk and not be affected than to suddenly discover your empty bank account and not know how it happened.

 

[Coolcats]

I am sorry but I disagree. This is a vulnerability that only affects Apple devices. It does not affect Android for example. Hence the title is appropriate.

You will have to trust me on this. Once a vulnerability is made public it gets exploited extremely quickly. With lots of eyes on it now, there will be improvements and simplifications made making it more trivial to exploit.

To use your analogy, the match was struck as soon as this vulnerability was made public. It is now only a matter of time before things start to burn unless Apple steps up.

I have seen this chain of events happen time and time again over the decades I have been dealing with security. I have been dealing with this stuff since 1998 when I set up an internet hosting company and started being the subject of 1,000's of hack attempts per day.


And yet Android devices are not affected by it. It is a problem with the interaction between apple devices and VISA. It is one that either or both of them should fix. As the public side of this is Apple, it is Apple that should take the lead on this to protect their customers.

I stand by my post. It is better to be aware of the risk and not be affected than to suddenly discover your empty bank account and not know how it happened.

That’s fine Gromett, but currently the issue is a tiny one and has not yet happened in the real world and if it does Visa will give you your money back.

Apple is notorious for not explain to People what they ar doing or working in if it’s an IPhone issue it will get fixed if it’s a Visa one the same applies.

It is also interesting it seems it’s only Visa that is affected that seems to be the issue.

One lesson don’t keep all your money in a current account and use credit rather than a debit card

 

[Gromett]

That’s fine Gromett, but currently the issue is a tiny one and has not yet happened in the real world and if it does Visa will give you your money back.

Not a tiny problem. It could potentially affect millions of people around the world. Today is the last day of the month, you get paid and your bank balance gets zeroed.
How long will it take VISA to give you your money back? Quick enough so you can buy food this week? Quick enough so your mortage payment gets paid? Quick enough that you don't rack up charges to suppliers for late payment etc?
Oh and it is not Visa who deals with the refunds it would be your card issuer.

Apple is notorious for not explain to People what they ar doing or working in if it’s an IPhone issue it will get fixed if it’s a Visa one the same applies.

Apple are notorious for not taking security issues seriously until they are forced to. They are notorious for not being customer facing when problems happen.

It is also interesting it seems it’s only Visa that is affected that seems to be the issue.

I have said multiple times not. It is a problem with Apple AND VISA. It is quicker for Apple to fix this.

One lesson don’t keep all your money in a current account and use credit rather than a debit card

DOH!!! and not relevant to this issue. Lots of people don't have savings and live week to week.

 

[kevenh]

I do like Apple’s smartphones and posted the same news when a search missed Gromett’s post. Mine is here
Hope that helps restore neutrality

 

[Coolcats]

Because that won't work with this bug. Read the articles I linked.

This bug allows £1,000's to be withdrawn in one hit. even from a locked phone.

What I was highlighting Gromett is the potential for Card debits to be made and like the issue with Visa it’s contactless, it doesn’t matter if it £1 or £1,000 it’s a risk and it’s fraud. And whilst it may be possible to do just like the visa issue it’s unlikely.

^{_{Subscribers  do not see these advertisements}}

 

[Coolcats]

I have seen this chain of events happen time and time again over the decades I have been dealing with security. I have been dealing with this stuff since 1998 when I set up an internet hosting company and started being the subject of 1,000's of hack attempts per day.

Im sure others here have been involved with security too (it could well be I have had involvement with security and technology as well), it will get resolved and whilst the event has not happened in the real world there isn’t much to panic about. Also without inside knowledge youI/I/we have no idea of the exact technical issue involved. If it’s an Apple flaw it will be resolved if it’s a Visa one same thing. But nothing bad has happens yet, and if it does, we’ll the visa account owner has nothing to worry about.

 

[Gromett]

Im sure others here have been involved with security too (it could well be I have had involvement with security and technology as well), it will get resolved and whilst the event has not happened in the real world there isn’t much to panic about. Also without inside knowledge youI/I/we have no idea of the exact technical issue involved. If it’s an Apple flaw it will be resolved if it’s a Visa one same thing. But nothing bad has happens yet, and if it does, we’ll the visa account owner has nothing to worry about.

I am not going to stop posting just because you as an Apple fan don't like the news.

I will continue to post software and hardware issues that have a direct security risk to owners of these devices/computers. The simple fix in this case is NOT to trust Apple and simply disable this feature. That removes all risk and any inconvenience when this eventually gets hit with real world attacks.

I don't trust your risk evaluation of this. and I will continue to post these warnings.

 

[Coolcats]

Not a tiny problem. It could potentially affect millions of people around the world. Today is the last day of the month, you get paid and your bank balance gets zeroed.
How long will it take VISA to give you your money back? Quick enough so you can buy food this week? Quick enough so your mortage payment gets paid? Quick enough that you don't rack up charges to suppliers for late payment etc?
Oh and it is not Visa who deals with the refunds it would be your card issuer.

Its Tiny as it hasn't happened in the real world...yet. I never said it was not going to be inconvenient but he same happens with any financial fraud

Apple are notorious for not taking security issues seriously until they are forced to. They are notorious for not being customer facing when problems happen.

Do we have evidence of this? Apple tend to say nothing then a fix appears ....sometimes after a long period, sometimes quite quickly

I have said multiple times not. It is a problem with Apple AND VISA. It is quicker for Apple to fix this.

How do you know its easier for Apple to fix this ? would the fix on an Apple device affect other Card types? without knowing the technical details its impossible to say where the issue is, maybe its the interface that Visa wrote the code to

DOH!!! and not relevant to this issue. Lots of people don't have savings and live week to week.

OK let me re-phrase do not keep all your money in a current account have it paid into a separate savings account and 'feed' the current account as and when the money is needed.

 

[kevenh]

Bottom line, knowing about the potential of this hack for future miscreants is useful.
Tnx for those that highighted the vulnerability