Subj : Re: *Apple Pay Bug: Hackers to Bypass Lock Screen and Spend your Money
To   : August Abolins
From : Jay Harris
Date : Fri Oct 01 2021 09:24:59

On 30 Sep 2021, August Abolins said the following...
 
 AA> Ah.. So, this problem only pertained to "transit" payments and  
 AA> that transit users were able to get free rides?

Yup, the user would have to enable the feature:

"Express Transit is an Apple Pay feature that enables commuters to make quick contactless payments without unlocking their phone."


Here's how an attack would work:

"A small commercially available piece of radio equipment is placed near the
iPhone, which tricks it into believing it is dealing with a ticket barrier.

At the same time, an Android phone running an application developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal. Because the iPhone thinks it is paying a ticket barrier, it doesn't need to be unlocked."


So it sounds like an attacker would need close proximity to an iPhone for this to work, though if the attack was setup in a busy area (like a transit station) they could walk away with a pretty penny:

"In a demonstration video seen by BBC News, security researchers have shown how they were able to make a Visa payment of 1,000 British Pounds using Apple Pay without unlocking the iPhone or authorizing the payment."


Jay

.... It was completely quiet in the stadium - but noisy.

--- Mystic BBS v1.12 A47 2021/09/29 (Raspberry Pi/32)
 * Origin: Northern Realms (1:229/664)

.