Security researcher Timur Yunusov will demonstrate two malware attack techniques that can exploit potential security flaws in Apple Pay.
Hackers can intercept SSL transaction traffic, tamper with transaction data and change the amount or currency being paid using Apple Pay.
Yunusov will demonstrate two separate malware attack techniques at Blackhat USA 2017 that can render ApplePay security worthless in the face of malware injections. The exploits take advantage of jailbroken devices to inject malware and then intercept and manipulate transactions that users perform using Apple Pay.
One such technique involves hackers feeding malware to a jailbroken device and intercepting transaction traffic as it is transferred to the Apple server. Any payment data added to a device's account can be intercepted using this method.
Hackers can also intercept and manipulate SSL transaction traffic, tamper with transaction data, change the amount or currency being paid and change the delivery details for the goods being ordered using Apple Pay. This can be done without using sophisticated equipment or skills.
Apple Pay is among the most secure methods that individuals can use to perform contactless transactions. Apple employs an independent Secure Enclave for payments, encrypts card data during payments and does not store payment information in devices. However, these two hacking techniques can render such security settings worthless.
'During testing, I have discovered at least two methods that render these precautions worthless. While one relies on the device being jailbroken, which is estimated at 20%* and is a practice that the security community opposes, another is against a device that is ‘intact,’ said Yunusov, who is also the Head of Banking Security for Positive Technologies.
'Attackers can either register stolen card details to their own iPhone account, or they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments directly from the victim's phone,' he added.
To ensure their devices are not affected by such malware, Yanusov suggests users should avoid jailbreaking their devices and stay away from unofficial app stores which do not offer similar security standards as the Apple App Store.
At the same time, users should avoid using unsecured Public Wi-Fis and shouldn't purchase goods at fraudulent websites or websites not featuring the latest ‘https’ security protocol.