This week in Las Vegas is the Black Hat conference. This of course is the conference where hackers of all descriptions will show up to show off security related research and show how to pwn everything. Case in point is research by Positive Technologies that The Register is reporting on where they have two attack vectors for Apple Pay. The first one requires malware to be injected into a jailbroken device. Thus illustrating why you should never jailbreak a device. But the second attack vector does not require a jailbroken device and utilizes WiFi:
The first step in the second attack is for hackers to steal the payment token from a [targeted] victim’s phone. To do that, they will use public Wi‑Fi, or offer their own ‘fake’ Wi‑Fi hotspot, and request users create a profile. From this point they can steal the ApplePay cryptogram [the key to encrypting the data].
Apple states that the cryptogram should only be used once. However, merchants and payment gateways are often set up to allow cryptograms to be used more than once.
As the delivery information is sent in cleartext, without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions.
Take home message. Don’t use WiFi when you use Apple Pay. But even if you don’t use WiFi, you have to wonder how long it will be before hackers figure out how to pull off an attack like this over a cellular network. If that is in the works, they better hurry because the researchers informed Apple about these attack vectors. Which means that Apple is likely working on a fix. Though, there might be a problem with that:
Fixing the issue will require action from all points in the chain, including the banking merchants, payment gateways, and card issuers, the security firm claimed.
We’ll see if Apple gets that co-operation to close this attack vector.
Like this:
Like Loading...
Related
This entry was posted on July 28, 2017 at 2:41 pm and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Hackers Claim They Can Pwn Apple Pay Via WiFi
This week in Las Vegas is the Black Hat conference. This of course is the conference where hackers of all descriptions will show up to show off security related research and show how to pwn everything. Case in point is research by Positive Technologies that The Register is reporting on where they have two attack vectors for Apple Pay. The first one requires malware to be injected into a jailbroken device. Thus illustrating why you should never jailbreak a device. But the second attack vector does not require a jailbroken device and utilizes WiFi:
The first step in the second attack is for hackers to steal the payment token from a [targeted] victim’s phone. To do that, they will use public Wi‑Fi, or offer their own ‘fake’ Wi‑Fi hotspot, and request users create a profile. From this point they can steal the ApplePay cryptogram [the key to encrypting the data].
Apple states that the cryptogram should only be used once. However, merchants and payment gateways are often set up to allow cryptograms to be used more than once.
As the delivery information is sent in cleartext, without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions.
Take home message. Don’t use WiFi when you use Apple Pay. But even if you don’t use WiFi, you have to wonder how long it will be before hackers figure out how to pull off an attack like this over a cellular network. If that is in the works, they better hurry because the researchers informed Apple about these attack vectors. Which means that Apple is likely working on a fix. Though, there might be a problem with that:
Fixing the issue will require action from all points in the chain, including the banking merchants, payment gateways, and card issuers, the security firm claimed.
We’ll see if Apple gets that co-operation to close this attack vector.
Share this:
Like this:
Related
This entry was posted on July 28, 2017 at 2:41 pm and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.