Apple and Google (and in particular Visa) last week gave us another example of how security and convenience often conflict with each other. And it seems that they have left for convenience.
The latest issues are only for a subset of iPhone and Android users, especially those who use their phones for payments in transit. If you think about how subways work in a big city (I'll take New York as an example), they require extreme speed. Using facial recognition or entering a PIN code just before paying to get on the subway would significantly slow down the queue.
Rather than allowing authentication before, say, perhaps within five minutes of a transaction, or speeding up the process to a fraction of a second, Apple, Google, and Visa have apparently chosen to forgo any meaningful authentication. (Note: I'm focusing on Visa because the hole still exists for that. MasterCard and others have already fixed the flaw.)
Security researchers at Positive Technologies tested the phones and found the problem.
"Loopholes allow attackers to make unlimited purchases using stolen smartphones with express delivery systems activated that do not require unlocking the device to make a payment," Positive said in a statement. “Until June 2021, purchases could be made at any PoS terminal, not just on public transport. On iPhones, payments can be made even if the phone's battery is empty. Prior to 2019, Apple Pay and Samsung Pay only allowed payments if the phone was unlocked with a fingerprint, face ID, or PIN. But today, it is possible to use public transportation or Apple's Express Transit mode.
Positive researcher Timur Yunosov said in an interview that the risk still exists, but it varies depending on the combination of the payment card brand (Visa, MasterCard, American Express, etc.) and the type of device.
“If you use a Visa card in Apple Pay, anyone can take your phone, even for free, go to a fancy store and buy something with your phone. Before June 2021, the same could have happened with the Samsung Pay/MasterCard pair,” said Yunosov, who spoke at Black Hat Europe last week. “But at one point, they quietly solved the problem. Google Pay is the most at risk. If NFC is enabled, someone could even clone your MasterCard in a short period of time and use it later to buy goods. Even after all the changes made by MasterCard, there is still the possibility of fraud against lost mobile wallets (Apple, Samsung, Visa, MasterCard, AMEX), although this requires special equipment, such as a modified point of sale or direct access to the transaction flow. "
Since these are stolen devices, this raises a difficult IT question. For many companies, the standard IT protocol when a device is labeled "probably stolen" is to remotely wipe it, which theoretically eliminates any additional risk. But it may not work if the phone is not connected to the Internet, is turned off, or has a dead battery.
“If the phone is not charged, it is still possible to use it to identify yourself. Therefore, the information will not be erased from the device. It also depends on whether the wipe mechanisms include wiping records from security systems (for example, a database of employee-owned devices), that would be safe,” Yunosov said. “Otherwise, you could put the entire system at risk. Until we see these systems being implemented in large companies, this is all just speculation. "
There is good news, albeit temporarily, in theory. Other confidential data on the phone should not be at risk. And if so, a remote wipe should solve the problem, assuming a proper remote wipe connection can be made.
But, as Yunosov noted, this defect can get worse. Apple is preparing a series of new "value-added services", such as the means to access secure buildings. For speed and convenience, you can also use the same process for transit payments. This increases the universe of potential victims.
Another key issue: What if a thief makes fraudulent purchases using the phone? Proving that the charges are fraudulent can be tricky. "It would be extremely difficult to prove to your issuing bank that you have not paid for these things and that the phone has not been unlocked with your fingerprint or PIN," Yunosov said.
Some victims may be lucky if a security camera captures the person making the purchase or if the victim can prove they were elsewhere at the time of the theft.
It seems that Apple can take advantage of the Apple Watch here. What if your Apple Watch constantly watches how far it is from the iPhone? What if, at a predetermined distance, the watch allowed the user to deactivate the phone, temporarily or permanently? It is important to give the user the option to temporarily disable; This is where the difference between a lost phone and a stolen phone comes in.
The watch could also tell the user exactly where the phone appears to be, or at least where it was when it was last detected. This information would help the user determine if the phone was simply lost or if it was likely stolen.
At the very least, Apple, Google, and financial institutions must remember that convenience should not come at the expense of security. Because slowing down the subway line can be annoying, but dealing with fraud and theft is worse.
Copyright © 2021 IDG Communications, Inc.