Apple Pay is Vulnerable to Malware
The Apple Pay mobile payment system is vulnerable. Cyber security experts have identified two different weaknesses in the system that have broken the strong belief that Apple Pay is secure.
What is Apple Pay?
Apple Pay is a mobile payments service system that enables users to make payments in multiple ways – directly in-person, through iOS apps, and on the web. Apple Pay uses EMV Payment Tokenisation Specification for security. The system is quite similar to other forms of contactless payments that use near field communication (NFC) technology – a wireless communication method that allows communication between a device containing a near field communication (NFC) antenna and POS system. Apple Pay digitizes credit card chip data and PIN or magnetic stripe data and can be used instead of the physical card point-of-sale terminal to perform contactless transactions.
Apple Security and Privacy
On security and privacy, Apple states that: “Apple Pay protects your personal information, transaction data, and credit, debit, and prepaid card information with industry-leading security. Using Apple Pay is easy, secure, and private. It’s simple for you, and it’s built with integrated security in both hardware and software, making it a safer way to pay than with your credit, debit, and prepaid cards.
Apple Pay is also designed to protect your personal information. Apple Pay doesn’t collect any transaction information that can be tied back to you. Payment transactions are between you, the merchant (or developer for payments made within apps and websites), and your bank.”
The security of Apple Pay is further boosted with two-factor authentication (TFA) – passcode, Touch ID, or PIN. Apple Pay is hence considered to be more easy, secure, and private for performing transactions. Further, Apple Pay adds that it doesn’t collect any transaction information.
The Vulnerabilities – Attack Type I
In the first type of attack, the attackers exploit vulnerabilities in jailbroken devices. Experts believe that around 20% of users jailbreak their devices. Apple, or in fact any manufacturer, does not recommend jailbreaking of devices. Attackers must now somehow manage to infect the device with malware, and if successful, and as the device is jailbroken, the malware would be able to gain root privileges. This would allow it to intercept payment data sent to an Apple server.
The Vulnerabilities – Attack Type II
This method can be used to attack even non-jailbroken devices. Even without sophisticated equipment or skills, attackers would be able to intercept the SSL transaction traffic and also manipulate the data. This is dangerous, as the amounts and details of the recipient can be changed. Apple Pay uses EMV Payment Tokenisation Specification, which is believed to offer more secure payment transactions. Apple also uses Secure Enclave – a separate microprocessor for payments, which ensures that no card data is stored on the device and all data is transferred only in encrypted form.
Attackers need to steal the payment token and for that transmission has to take place over public Wi-Fi or the attacker may tempt with a “free” (but fake) spot. Now the attackers are able to trick the user into sharing some details to create a profile, from where they are able to steal the what Apple uses to encrypt data – the ApplePay cryptogram.
Despite Apple’s warning that the cryptogram must be used only once, practically they are used multiple times. Hackers use this vulnerability and change the delivery details to make fraudulent payments.
- Be wary about “https://” on websites. Fraudulent websites may also obtain “https://”.
- Avoid public Wi-Fi
- If at all you must connect to public Wi-Fi for some unavoidable reason then do not share any credentials (user-id, password, etc…,)
- Never perform any financial transactions on Wi-Fi
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.