New malware attack techniques expose security flaws in Apple Pay

New malware attack techniques expose security flaws in Apple Pay

Kronos disguised itself as a legitimate software to infiltrate web browsers and steal banking passwords and other financial information.

Security researcher Timur Yunusov will demonstrate two malware attack techniques that can exploit potential security flaws in Apple Pay.

Hackers can intercept SSL transaction traffic, tamper with transaction data and change the amount or currency being paid using Apple Pay.

Yunusov will demonstrate two separate malware attack techniques at Blackhat USA 2017 that can render ApplePay security worthless in the face of malware injections. The exploits take advantage of jailbroken devices to inject malware and then intercept and manipulate transactions that users perform using Apple Pay.

Apple Pay users warned against storing multiple fingerprints on iPhones

One such technique involves hackers feeding malware to a jailbroken device and intercepting transaction traffic as it is transferred to the Apple server. Any payment data added to a device’s account can be intercepted using this method.

Hackers can also intercept and manipulate SSL transaction traffic, tamper with transaction data, change the amount or currency being paid and change the delivery details for the goods being ordered using Apple Pay. This can be done without using sophisticated equipment or skills.

Apple Pay is among the most secure methods that individuals can use to perform contactless transactions. Apple employs an independent Secure Enclave for payments, encrypts card data during payments and does not store payment information in devices. However, these two hacking techniques can render such security settings worthless.

Use Apple & Cisco at work? Get ready for cyber security insurance discounts

‘During testing, I have discovered at least two methods that render these precautions worthless. While one relies on the device being jailbroken, which is estimated at 20%* and is a practice that the security community opposes, another is against a device that is ‘intact,’ said Yunusov, who is also the Head of Banking Security for Positive Technologies.

‘Attackers can either register stolen card details to their own iPhone account, or they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments directly from the victim’s phone,’ he added.

To ensure their devices are not affected by such malware, Yanusov suggests users should avoid jailbreaking their devices and stay away from unofficial app stores which do not offer similar security standards as the Apple App Store.

At the same time, users should avoid using unsecured Public Wi-Fis and shouldn’t purchase goods at fraudulent websites or websites not featuring the latest ‘https’ security protocol.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]