| ▲ | Researchers Stole $10k from MKBHD's Locked iPhone(macrumors.com) | |||||||
| 20 points by zacharyozer a day ago | 4 comments | ||||||||
| ▲ | anon7000 21 hours ago | parent | next [-] | |||||||
The source is this a very interesting video: https://youtu.be/PPJ6NJkmDAo TLDR, it only impacts Visa Cards if you have express transit mode enabled, and relies on a MITM attack. There are two root issues: 1. iOS does not verify the actual transaction value, it just verifies that a flag is set indicating it’s a low value transaction. (Eg for express transit where no faceID is required.) Apple says the root cause is credit card companies, but they could clearly fix this. 2. In visa transactions with an offline terminal, the credit card doesn’t cryptographically sign the data it’s sending, which is why the MITM attack is able to adjust the transaction metadata getting sent to the phone. (MITM attack basically changes the transaction flow to make it look like an offline transit reader asking for a low value amount of money, and ios approves the transaction with no verification, despite it being for $10k) Mastercard doesn’t have that vulnerability because the transaction metadata is cryptographically protected/verified. Visa claims that the attack is too hard to pull off for it to be worth changing. | ||||||||
| ||||||||
| ▲ | jqpabc123 14 hours ago | parent | prev | next [-] | |||||||
Illustrates the classic tradeoff between convenience and security and the difficulty of having both at the same time. | ||||||||
| ▲ | general1465 13 hours ago | parent | prev [-] | |||||||
We have ATM skimmers in Eastern Europe, now we can add NFC skimmers to it as well. Can't wait to cross check whole terminal seeing nothing unusual only to be robbed anyway. | ||||||||