Current example: Apple Pay “Express Transit” function
In IT, comfort and security often have a similar relationship to one another as freedom and security. One only comes at the expense of the other. A current example is the Apple Pay “Express Transit” functionality: small amounts can be paid conveniently, despite the blocking code. But according to recent reports, this can be fatally exploited. Paul Ducklin, Sophos security expert, explains the problem.
A yet-to-be-published paper by researchers in the United Kingdom made headlines in late September for its dramatic claims about Apple Pay: that an apparent vulnerability allows money to be stolen from a locked iPhone when a Visa card is set up with Apple Pay Express Transit is.
Never heard of Express Transit? It's one of those clever ideas that sacrifices cybersecurity for convenience.
Simply put, this feature allows you to perform some types of touch-to-pay transactions even when your phone is locked - as long as Express Transit is enabled.
The principle of digital payment without special approval
With Express Transit, Apple Pay and the iPhone work a bit like a regular credit card that doesn't need to be unlocked with a PIN code for low-value transactions. In most European countries this limit is between 25 and 50 euros.
Paying via Express Transit via smartphone is similarly easy. If a transaction is requested, all it takes is a simple click on the locked smartphone and the money is sent to the recipient. This one last click can easily happen unintentionally if the user quickly “clicks away” something because he is interested in something else or if this one click is triggered unnoticed by a stranger, for example in a cafe or on a crowded train. In contrast to the credit card, which you usually keep in your wallet and only take out when the payment is actually due at the terminal, the cell phone is much more often and visibly present, for example on a table.
To prevent the smartphone from being misused, we usually lock it with a pin code or an alternative authentication mechanism such as fingerprint or facial recognition. Unfortunately, users continue to unlock phone functions on the lock screen, thereby reducing the security that the lock screen is intended to provide in the first place - regardless of whether notifications and personal messages are displayed while the phone is locked or not to take advantage of the use of the Apple Pay Express Transit feature.
The researchers behind the yet-to-be-published work now claim that they were able to trick iPhones into making fraudulent payments under carefully prepared circumstances. They set up their own payment terminal and disguised it as the public transportation company that was part of the Express Transit payment system.
Apparently they only managed to steal with Visa card accounts (presumably other payment providers were stricter when deciding whether payment terminal X really belonged to company Y), and even worse: the payments were not limited by the usual limit of around 50 euros. The researchers claim that by using a fraudulent payment terminal they were able to make transactions of up to over 1000 euros.
What should I do?
Despite this dramatic result, iPhone owners don't need to panic, but the report is a reason to reconsider how they use their own smartphones. Users should generally carefully consider the exceptions they allow on the locked cell phone. Is it really a burden to have to enter the lock code for every action? If you answer yes, you have to live with the risks. For everyone else who feels safer with an unlocking process, here are a few tips:
- Abandon Express Transit and all other features active on the lock screen. These options inevitably sacrifice security for convenience.
- Express Transit in conjunction with a Visa card should be avoided for the time being. To be fair to Visa, we assume that with enough effort, similar workarounds could be found for other payment providers. If you're really worried and can't live without Express Transit, you should set up a prepaid debit card with a moderate balance. At least then theft is only possible for the balance and not for the credit limit of a credit card.
- Never leave the phone unattended and only take it out when it is in use. Otherwise, hold it in your hand or have it in your pocket.
- You should use the best possible lock code and the shortest time for the automatic lock. A locked phone is a minor inconvenience, but a major hurdle for scammers, even the tech-savvy ones. An unlocked phone, on the other hand, is an open target for everyone, even simple occasional criminals.
- Check bank and payment card statements regularly. If you use Express Transit for regular and predictable payments, for example on public transport, unusual bookings quickly become apparent.
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )