Recently the ANZ Bank introduced Apple Pay – the “Safer way to pay”, which takes advantage of NFC chips in the iPhone and Apple watch to achieve contactless payments.
I was recently able to set this up on my phone but I noticed that there is very little authentication on adding a new card to your phone.
The current procedure is : Scan the card’s front with your phone’s camera, and then ANZ or Apple will send a unique code to the registered phone number on the account.
However there is a significant flaw here : quite a lot of women store their wallet in their handbang, along with their phone. Most phones also display the contents of a message, whether you’ve unlocked the phone or not.
I think it would be trivially easy to gain access to someone’s phone and wallet at the same time (ie like in the case of minding one’s handbag) and during this time one would be able to setup Apple pay based on their credit card details.
This is different from stealing the credit card, because the victim might not actually know their credit card has been compromised, because it will still be in their wallet. I even tested it with a photocopy of a credit card and it worked without an issue.
Furthermore, using Apple Pay circumvents the pin code on the credit card because the authentication under Apple pay is left to the iPhone (which typically uses the owner’s fingerprint – NOT the victims!). This is actually better than physically stealing a credit card, as they are limited to $100 transactions without a pin.
There are typically three factors of authentication : something you are (fingerprints, retina pattern), something you know (pin codes, passwords) , something you have (credit card, phone). Security is strongest when you have multiple factors. ANZ is clearly trying to use the mobile phone as ‘something you have’, but it neglects that fact that the credit card is also something else ‘you have’, and these two ‘things you have’ often reside together.
I would also caution the assumption that your phone is ‘something you have’ if you can receive a code sent to your mobile phone number. These days there are dozens of SMS syncing services like iMessage which sync ALL text messages received on a phone to all connected iPads, Macs and iPods. The Android Facebook App now allows you to send SMS messages from within the Facebook app; so Facebook already has read access to an Android user’s text messages, it’s not a huge stretch to imagine text messaging syncing in the future that would mean hackers do not have to have physical possession of the victim’s phone. Several third party services (https://mightytext.net/) already allow this functionality. Combine this with the fact that a printed photograph is entirely adequate to setup Apple Pay, and we have suddenly increased the attack surface of the humble Credit Card.