Apple and Google (and especially Visa) last week gave us yet another example of how security and  convenience are often at odds with each. And it looks like they opted for convenience.

The latest issues speaks to only a subset of iPhone and Android users — specifically, those who use their phones for mass transit payments. If you think of how subways work in a major city (I’ll use New York City as an example), they require extreme speed. Using facial recognition or entering a PIN right before paying to get on the subway would dramatically slow down the line. 

Instead of allowing authentication to happen earlier — say, perhaps within five minutes of a transaction — or by accelerating the process to a split second, Apple, Google, and Visa apparently chose to forego any meaningful authentication. (Note: I am focusing on Visa because the hole still exists for it. MasterCard and others have already patched the flaw.)

Security researchers at Positive Technologies tested the phones and found the problem

“The flaws allow attackers to make unlimited purchases using stolen smartphones with enabled express transport schemes that do not require unlocking the device to make a payment,” Positive said in a statement. “Until June 2021, рurchases could be made at any PoS terminals, not only in public transport. On iPhones, payments could be made even if the phone’s battery is emptied. Prior to 2019, Apple Pay and Samsung Pay did not allow payments unless the phone was unlocked with a fingerprint, facial ID, or PIN code. But today, it has become possible by using public transport schemes or Apple’s Express Transit mode.”

Timur Yunosov, a Positive researcher, said in an interview that the risk still exists, but varies based on the combination of payment card brand (Visa, MasterCard, American Express, etc.) and device type.

Copyright © 2021 IDG Communications, Inc.

Source link