Are you using payment system over public Wi‑Fi?
Black Hat USA Security researchers say they have come up with two separate "attacks" against ApplePay, highlighting what they claim are weaknesses in the mobile payment method.
One of the attacks developed by the white hats, and presented at Black Hat USA yesterday, requires a jailbroken device to work, but the other assault does not.
In the first attack, say the researchers from Positive Technologies, hackers will initially need to infect a jailbroken device with malware. Having achieved this, they might then be able to intercept traffic en route to an Apple server, in this case payment data being added to the device's account. Once hackers have succeeded in pushing malware with root privileges, then it's game over (in most scenarios), claim the white hats.
The second attack can be performed against any device as hackers intercept and/or manipulate SSL transaction traffic without employing any sophisticated equipment or skills, they say. The attack involves replaying or tampering with transaction data: changing the amount or currency being paid, or changing the delivery details for the goods being ordered.
Timur Yunusov, head of banking security for Positive Technologies explained: "With wireless payments - PayPass, ApplePay, SamsungPay, etc, there is a perception that ApplePay is one of the most secure systems. ApplePay's security measures mean that it has a separate microprocessor for payments [Secure Enclave], card data is not stored on the device nor is it transmitted in plaintext during payments."
Although Apple's approach might seem sound, Positive Technologies claimed it had nevertheless uncovered two potential avenues of attack. While one relies on the device being jailbroken – a practice frowned upon by security experts that is carried out by an
estimated one in five users – another attack can target an unmodified iPhone or iPad, as Positive Technologies explained to
El Reg.
