A flaw in Apple Inc.’s (NASDAQ: AAPL) Apple Pay contactless payment system allows a hacker with physical possession of an iPhone to steal money using the phone, even if it is locked. The hack works when an iPhone owner has set a Visa card as Apple Pay’s default for transactions in its Express Transit feature.
London’s Telegraph newspaper reported the hack. Express Transit (called Express Travel in the United Kingdom) allows an iPhone user to pay for a ride on public transit without Face ID or Touch ID authentication (i.e., when the iPhone is locked). According to 9to5Mac, “The lack of authentication is deemed okay as the maximum transaction amount for transit is low, and there is a daily cap.”
Security researchers discovered that a hacker can create a dummy payment terminal mimicking a public transport terminal that lets an Express Transit make a transaction with no cap on the amount. To prove the point, the researchers made a £1,000 transaction on a locked iPhone, bypassing the phone’s authentication system.
BBC News reported that the researchers got in touch with Apple and Visa nearly a year ago but that the problem hasn’t been fixed. Visa told the BBC that the type of attack was “impractical” and that “Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence.”
Apple said it is Visa’s problem:
This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.
In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.
The researchers also tested Samsung Pay and Mastercard, and neither could be exploited by this kind of attack.
While the United States and China may have some serious issues with one another, Chinese consumers have no problem with Apple and no problem especially with the iPhone 13. Earlier this week we noted that one analyst said that Chinese customers had ordered 5 million iPhone 13 models already.
In a Bloomberg Opinion article Wednesday, Adam Minter noted that minutes after preorders for the new phones opened, some colors were sold out and Apple’s Chinese website crashed. Sales at a JD.com e-commerce site were 470% higher than for the iPhone 12 just one year ago.
Minter’s article focuses on the Chinese market’s appetite for foreign-made goods. And the iPhone is a particularly good example.
Finally, Apple appears to have changed its mind about letting customers review the company’s own apps after they have been downloaded from the App Store. Some iPhone owners delete an Apple app that ships with the iPhone but later change their minds. Until now, Apple would not allow those customers to leave a review of the app. According to some of the reviews, posted at 9to5Mac, Apple may have been better off before the change.
Thank you for reading! Have some feedback for us?
Contact the 24/7 Wall St. editorial team.