New malware attack techniques expose security flaws in Apple Pay

New malware attack techniques expose security flaws in Apple Pay

Kronos disguised itself as a legitimate software to infiltrate web browsers and steal banking passwords and other financial information.

Security researcher Timur Yunusov will demonstrate two malware attack techniques that can exploit potential security flaws in Apple Pay.

Hackers can intercept SSL transaction traffic, tamper with transaction data and change the amount or currency being paid using Apple Pay.

Yunusov will demonstrate two separate malware attack techniques at Blackhat USA 2017 that can render ApplePay security worthless in the face of malware injections. The exploits take advantage of jailbroken devices to inject malware and then intercept and manipulate transactions that users perform using Apple Pay.

Apple Pay users warned against storing multiple fingerprints on iPhones

One such technique involves hackers feeding malware to a jailbroken device and intercepting transaction traffic as it is transferred to the Apple server. Any payment data added to a device's account can be intercepted using this method.

Hackers can also intercept and manipulate SSL transaction traffic, tamper with transaction data, change the amount or currency being paid and change the delivery details for the goods being ordered using Apple Pay. This can be done without using sophisticated equipment or skills.

Apple Pay is among the most secure methods that individuals can use to perform contactless transactions. Apple employs an independent Secure Enclave for payments, encrypts card data during payments and does not store payment information in devices. However, these two hacking techniques can render such security settings worthless.

Use Apple & Cisco at work? Get ready for cyber security insurance discounts

'During testing, I have discovered at least two methods that render these precautions worthless. While one relies on the device being jailbroken, which is estimated at 20%* and is a practice that the security community opposes, another is against a device that is ‘intact,’ said Yunusov, who is also the Head of Banking Security for Positive Technologies.

'Attackers can either register stolen card details to their own iPhone account, or they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments directly from the victim's phone,' he added.

To ensure their devices are not affected by such malware, Yanusov suggests users should avoid jailbreaking their devices and stay away from unofficial app stores which do not offer similar security standards as the Apple App Store.

At the same time, users should avoid using unsecured Public Wi-Fis and shouldn't purchase goods at fraudulent websites or websites not featuring the latest ‘https’ security protocol.

Copyright Lyonsdown Limited 2021

Top Articles

Usability and email security

When employees understand how their behaviour impacts email security, they become much more efficient at detecting scams, preventing data breaches, and protecting sensitive information.

The pen testing guide you never thought you needed, until now…

Security testing should be at the centre of any cyber strategy,

Institute of Cyber Digital Investigation Professionals launched

CIISec & College of Policing are announcing the independent launch of the Institute of Cyber Digital Investigation Professionals (ICDIP)

Related Articles