Apple Pay hack discovered, set worry level to low
There’s a contactless hack that could take an iPhone and turn it into a wallet drainer, but the way to pull it off is pretty impractical and you’ll have to do a few things to get hacked.
The issue revolves around Visa cards set up in Express Transit mode in iPhone’s wallet. This mode is aimed at commuters for quick contactless payments at trains. busses, etc. The mode doesn’t require unlocking, but does require the phone to be within so many inches of a contact point. The contact point, in the hack as demonstrated, is another device that claims it’s a ticket barrier and therefor the wallet passes the Visa info on believing you’re paying bus or train fare.
Neither the compromised computer/phone/piece of equipment, nor the terminal that are being used need to be near as long as there’s an internet connection, however the radio/nfc will need to be extremely close to the phone to trigger the whole shebang.
It’s not an attack you’re likely to see in the wild this week, and it will still require getting close enough to the phone to trigger. However, it might bring back stealing people’s phones in order to gain access to sensitive data/visa which hasn’t been much of a thing for the past couple of years.
My current bet is this is probably not going to happen in the wild, however.
Currently you can protect yourself completely by disabling Express Transit mode, which would mean you’d have to unlock your phone in order to pay.[bbc]