ApplePay + TouchId more scary exploits.

When this first cropped up I mentioned how experts have already managed to fool TouchId based on fingerprints on the screen or even building a fingerprint from photos. Those exploits I admitted were a bit too hard to waste on using on average targets, but the new information gets scarier. Much scarier.

The first one that should scare people. Really anyone, even if you don't own an iPhone 6 is that Apple appears to have convinced banking institutions to be more lax on identity verification with ApplePay and TouchId. Which means, FAR easier than scamming your fingerprints is to just use age old CC duping techniques and combine them with ApplePay. Scam works like this with some steps removed/simplified; you take your CC and use it to buy lunch. Unbeknownst to you, cashier steals your CC info. Adds your CC as a payment option on THEIR iPhone with TouchId and voila! they don't need to worry about making a legit looking physical card or restricting themselves to web sites that use additional verification methods. They can use their CC anywhere that accepts ApplePay.

It shouldn't be exactly as simple as all of that. But the scary point is the fact that ApplePay can be abused to make it easier to compromise the credit cards of people who don't even use Apple products.

The next exploit is one I thought of which puts the lie to a fingerprint being more secure than a password in the case of TouchId. At present your biometric data for TouchId lives ONLY on your device. So, if you have an Apple username and password and a credit card linked to that account, your credit card is only as safe as your password is. If I know your username and password, then it is as simple grabbing any TouchId enabled device, configuring it under your user and then configuring TouchId on my device. YAY! I'm now the proud owner of any payment options linked to your Apple account.

Apple is apparently planning to start storing that biometric data in the cloud. Perhaps in response to exploits like these. But until that happens ApplePay has actually created more ways for people to steal your payment information rather than actually making it any safer.

Once in the cloud, things could get better. The latter exploit would theoretically disappear. With a permanent TouchId out there in the cloud to validate against, linking a new fingerprint to your account without your knowledge would disappear. Also, if stronger user validation is done, and that validation is also tied to TouchId, then the former situation would also be closed down as well.

That would only leave the potential MITM attacks of which I haven't heard of any successful ones and stealing your fingerprint along with your phone both of which mean that the average person would be much safer.

Comments

Popular Posts