Return to the list of client alerts
As I always say, security or convenience, pick one. But only one.
In this case it does take some work and, interestingly, it only works with Visa and not Mastercard, but it does work.
Normally, Apple users have to confirm a contactless payment with a face scan, fingerprint or password, but Apple decided that there are some cases where that might be inconvenient (go back to the first sentence of this post).
So, they created a mode called Express transit. In theory it is only supposed to work for transit fares like the bus or the subway, but apparently they didn’t think it all through.
For Visa cards, the researchers were able to override the dollar limit on the transaction and were able to make a 1,000 British Pound subway fare work.
Apparently, the way Mastercard implemented this express mode, the fare is not sent by the terminal, but rather calculated upstream, hence those cards are not vulnerable.
What is more annoying (especially in light of Apple’s botch job of the iOS 15 and other bugs), is that the researchers sent the bug to Apple a year ago and to Visa last May and rather than fixing the problem, the two companies are pointing fingers at each other as to who should fix it.
At the corporate level, the likelihood of getting hacked is probably low, but more importantly, in light of all of Apple’s recent missteps with bugs, it should make companies that make software think about their bug handling procedures.
You can use Apple’s failures over the last few months to think about how you would respond.
This is NOT limited to just commercial software that is sold to the public; it applies to corporate developed and used software. For those of you who have software that is not COTS (Commercial Off The Shelf from a company like Microsoft) – whether you have employees that develop it or whether you outsourced the development, you, too, need to have a process for dealing with bugs.
BY THE WAY, THE BUG IS NOT FIXED AND THERE IS NO FIX PLANNED AS APPLE AND VISA FIGHT ABOUT IT.
Credit: Bleeping Computer