Apple and Google (and especially Visa) last week gave us another example of how security and convenience often conflict with each other. And they seem to have opted for convenience.
The latest numbers speak to only a subset of iPhone and Android users, particularly those who use their phones for mass transit payments. If you think about how subways work in a big city (I’ll use New York City as an example), they require extreme speed. Using facial recognition or entering a PIN just before paying to get on the subway would dramatically slow down the line.
Instead of allowing authentication first – say, perhaps within five minutes of a transaction – or speeding the process up to a split second, Apple, Google, and Visa apparently have chosen to forgo any meaningful authentication. (Note: I’m focusing on Visa because the hole still exists. MasterCard and others have already fixed the flaw.)
Security researchers at Positive technologies tested the phones and found the problem.
“The flaws allow attackers to make unlimited purchases using stolen smartphones with enabled express shipping schemes that do not require the device to be unlocked to make a payment,” Positive said in a statement. “Until June 2021, purchases could be made at any PoS terminal, not just in public transport. On iPhone, payments can be made even if the phone’s battery is low. Prior to 2019, Apple Pay and Samsung Pay did not allow payments unless the phone was unlocked with a fingerprint, face ID or PIN code. But today it has become possible using public transport systems or Apple’s Express Transit mode. “
Timur Yunosov, a positive researcher, said in an interview that the risk still exists, but varies based on the combination of payment card brand (Visa, MasterCard, American Express, etc.) and device type.
“If you use a Visa card on Apple Pay, anyone could take your phone, even without a charge, go to a luxury store and buy something with your phone. Before June 2021, the same could have happened with the Samsung Pay / MasterCard pair, “he said Yunosov, who spoke last week to Europe black hat. “But at some point, they quietly solved the problem. Google Pay is more at risk. If NFC is enabled, someone could even clone your MasterCard card in a short period of time and use it later to purchase goods. Even after all the changes made by MasterCard, it is still a possibility of fraud against lost mobile wallets (Apple, Samsung, Visa, MasterCard, AMEX), although it requires special equipment, such as a modified POS or direct access to the transaction flow . “
Since these are stolen devices, this raises a difficult IT question. For many companies, the standard IT protocol when a device is labeled “probably stolen” is to remotely wipe it, theoretically removing any additional risk. But it may not work if the phone is not connected to the internet, is turned off or has a low battery.
“If the phone is dead, you can still use it for identification. Then the information would not be deleted from the device. It also depends on whether the deletion mechanisms include deleting records from security systems (such as a database of devices belonging to employees), it would be safe, ” Yunosov said. “Otherwise, it could put the entire system at risk. Until we see these systems being implemented in large corporations, this is all just speculation. “
There is some good news, albeit temporarily, in theory. Other sensitive data on the phone shouldn’t be at risk. And if it is, a remote wipe it should resolve the problem, assuming a suitable remote wipe connection can be established.
But, as Yunosov pointed out, this flaw could get much worse. Apple is preparing a number of new “value-added services”, such as ways to access secure buildings. For speed and convenience, it could also use the same process in place for payments in transit. This increases the universe of potential victims.
Another key question: What if a thief actually makes fraudulent purchases using the phone? Proving that the allegations are fraudulent could be tricky. “It would be extremely difficult to prove to your issuing bank that you didn’t pay for these things and that the phone wasn’t unlocked with your fingerprint or PIN,” Yunosov said.
Some victims could lucky if there is a security camera showing the person making the purchase or if the victim can prove that he was somewhere else at the time of the theft.
It looks like Apple can take advantage of the Apple Watch here. What if your Apple Watch constantly detects how far it is from the iPhone? What if, at a predetermined distance, the watch allows the user to disable the phone, temporarily or permanently? It is important to give a user the ability to temporarily disable; this is where the difference between a lost phone and a stolen phone comes into play.
The watch could also tell the user exactly where the phone appears to be, or at least where it was when it was last detected. Such information would help the user determine if the phone is simply lost or if it has probably been stolen.
At the very least Apple, Google and financial institutions need to remember that convenience shouldn’t come at the expense of security. Because slowing down the subway line might be inconvenient, but dealing with fraud and theft is worse.
Copyright © 2021 IDG Communications, Inc.