Security researchers at a company called Positive Technologies demonstrated why big retailers like Walmart are saying no to Apple Pay.
The researchers described two separate Apple Pay hacks using Wi-Fi technology at the Black Hat USA cybersecurity conference, The Register reported. Here is what they found:
- In the first hack experts were able to intercept Apple Pay transactions; before they reached an Apple server, by using a jailbroken device. A jailbroken phone is one with security features that have been cracked by the bad guys. This was achieved by infecting a device; presumably an iPhone, with malware.
- The second hack involved the interception and manipulation of transaction data. The hackers were apparently able to change the amount of payment and delivery details. Frighteningly they found that it might be possible to use any device to carry out this attack.
- It is possible for hackers to steal the Apple Pay “payment token” using public Wi-Fi or a fake Wi-Fi hotspot that asks users to create a profile. Basically they can crack Apple Pay by using a time tested hacking tactic called Wardriving. That is roaming around and looking for Wi-Fi accounts to enter.
- “From this point they can steal the ApplePay cryptogram [the key to encrypting the data],” a Positive spokesperson told El Reg.
“Apple states that the cryptogram should only be used once. Apple states that the cryptogram should only be used once. However, merchants and payment gateways are often set up to allow cryptograms to be used more than once.”
- “As the delivery information is sent in cleartext; without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions,” Positive claimed.
- “Attackers can either register stolen card details to their own iPhone account; or they can intercept the SSL traffic, between the device and the Apple Server to make fraudulent payments directly from the victim’s phone,” Timur Yunusov; Positive Technologies’ head of banking security, told The Register.
It sounds as if there are some big holes in Apple Pay’s security. To make matters worse, Yunusov thinks the same holes might exist in Android Pay, Samsung Pay and PayPass.
This is why Walmart is not Accepting Apple Pay or Android Pay
This might be the real reason why Walmart (NYSE: WMT) is refusing to accept Apple Pay and other solutions such as Android Pay, that use near field communications (NFC). It might also be the reason why Walmart has spent big money developing its own payment solution, Walmart Pay that uses another technology called Quick Read (QR) code.
A QR code payment solution; such as Walmart Pay, Alipay or Chase Pay, uses a phone’s camera to scan a barcode on a cash register. The barcode then gives it permission to make payment in a payment provider’s system. Unlike NFC devices, QR code solutions do not make direct contact with a retailer’s payment system.
There is a potential nightmare for Apple Pay or Android Pay users here. Cybercrooks can use their accounts to buy stuff and banks or merchants can easily block suspicious transactions. That means your Apple Pay can be cut off at any time if a retailer or bank thinks crooks are using it.
It goes without saying that this might be a huge opportunity for Ant Financial (owner of Alipay), Walmart or JPMorgan Chase (NYSE: JPM); all of which offer QR code payment solutions. Another potential beneficiary is the Singapore startup TenX; which is offering a cryptocurrency-based digital wallet that works with a Visa card for added security.
One has to wonder what Apple is going to do about this and how long before crooks start using Apple Pay to steal money or merchandise. Positive Technology has informed Apple of its findings. Apple (NASDAQ: AAPL) is going to have to upgrade Apple Pay’s security if it wants the service to remain marketable.
A possible solution; and one the Geeks would not like, would be to offer an Apple Pay branded Visa or MasterCard. Another would be to add a QR Code function to Apple Pay or Android. Either way it looks like both Apple and Alphabet (NASDAQ: GOOGL) have a lot of work to do on their payment systems’ security.