If You Use Your iPhone to Do This, Check Your Bank Account, Experts Warn
Researchers found an exploit that make it possible for thieves to steal your cash.
Even if you don't consider yourself good with technology, there's a good chance your phone is the primary way you get things done. After all, the convenience of having a device in your pocket that can do everything from booking a flight to having your favorite meal brought to your door has revolutionized the way we go about our daily lives. But our newfound reliance on gadgets can sometimes make us vulnerable to serious security breaches. Now, experts warn that hackers can take advantage of anyone who uses their iPhone to do this one everyday action. Read on to see what you can do to protect yourself.
Hackers have exploited the Express Transit feature on the iPhone to steal money.
Using your iPhone to board a bus or subway train with its contactless Express Transit feature has undoubtedly made life easier for commuters. But according to new research from teams at Birmingham and Surrey Universities, it has also made it much easier for hackers to target the devices and steal cash from them.
In a video released to the BBC, the team demonstrated a locked iPhone tricked into approving a contactless payment of £1,000. The transaction was completed by using an Android phone running a program that mimics a ticketing terminal seen in public transportation systems. But while Express Transit relies typically on the device being swiped over a reader to be activated, the researchers explained that hackers running the program don't even necessarily have to be physically close to victims to poach such payments—and all without the use of a passcode, Face ID, or fingerprint.
"It can be on another continent from the iPhone as long as there's an internet connection," Ioana Boureanu, PhD, one of the researchers from the University of Surrey, told the BBC.
The exploit specifically affects accounts with Visa bank cards attached to Express Transit.
The researchers specified that the security exploits they discovered specifically put any iPhone with a Visa bank card attached to its Express Transit feature in danger. Similar tests against phones using Samsung Pay or a Mastercard were unsuccessful in stealing the funds.
Even though the conditions were created in a lab and there's no evidence that thieves have used the vulnerability to steal cash, some experts feel the potential open door for thieves could soon have serious consequences. "Perhaps the greatest worry is for a lost or stolen phone," Ken Munro, a researcher with cyber security consultancy Pen Test Partners who was not involved in the research, told the BBC. "The crook doesn't have to be concerned about being spotted by others as they carry out the attack anymore."
Both Apple and Visa have refused to accept responsibility for the security flaw.
Despite having shown footage of their findings to both Apple and Visa nearly a year ago, neither company has fixed the security issue. In a statement from a Visa spokesperson, any such fraudulent payments were called "impractical" and compared them with other similar "contactless fraud schemes" that haven't been able to be executed in the real world over the past decade.
Apple took a similar stance when faced with the results, with a spokesperson for the company telling the BBC: "We take any threat to users' security very seriously. This is a concern with a Visa system, but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place."
Unfortunately, the research team fears that such responses mean the exploit could be left unsolved long enough for criminals to take advantage of the vulnerability. "Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users," Andreea Radu, PhD, the study's lead researcher from the University of Birmingham, told the BBC. "Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely."
For more tech tips sent straight to your inbox, sign up for our daily newsletter.
The researchers recommend removing any Visa card attached to the feature for now.
In light of the findings, a company spokesperson said that "cardholders are protected by Visa's zero liability policy" from any fraudulent payments or theft. But the research team says that it's still best for people to take security concerns into their own hands for the time being.
"iPhone owners should check if they have a Visa card set up for transit payments, and if so, they should disable it," Tom Chothia, PhD, one of the study's co-authors from the School of Computer Science at the University of Birmingham, told the BBC. "There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this, they are."