Apple Pay vulnerable to wireless pickpockets

Apple Pay vulnerable to wireless pickpockets

Excerpt: Contactless Europay, Mastercard, and Visa (EMV) payments are a fast and easy way to make payments, particularly at a time when we’re all much more wary about the hygiene of the surfaces we touch. Normally, payments via smart-phone apps need to be confirmed by the user via a fingerprint, PIN code, or Face ID. Apple Pay elevated the EMV standard for usability, by introducing a feature that allows it to be used at a ticketing barrier (like those used to access the London underground railway network) without unlocking the phone. And Apple is not alone. Samsung has introduced the same “transport mode” feature as well. The researchers found that Transport for London (TfL) ticket barriers broadcast a non-standard sequence of bytes—so-called “magic bytes”—which bypass the Apple Pay lock screen. Apple Pay then checks that its other requirements are met (which are different for Visa and Mastercard) and if they are it allows a payment to be performed with no user interaction. In this way it allows underground passengers to move through the barriers without stopping, in the same as they do with Oyster cards. [This sounds like a genuine OMG. While this is generally of primary interest to European–especially UK–persons, if this works there, it will work in other places, too. What I find most chilling is that the phone need not even be turned on for this to work. You really do want to read this article if you have any contactless electronics (perhaps car keys?) that handle payments. I added emphasis. Alan25main]

2 Likes