Apple has been altered by mobile security researchers that a potential security flaw in iOS could lead to hackers stealing the personal credit card information of millions through Apple Pay. Due to iOS devices default setting to auto connect to Wi-Fi networks, a vulnerability in Apple pay could allow a hacker to display a fake image on the device appearing to be Apple Pay asking for your credit card information.
Today, wherever you go there are open wifi hotpots, it makes traveling easier, even when we’re are stuck without a data connection. But with the alarming amount of open hotspots, hackers are beginning to take advantage and abuse public hotspots.
Mobile security firm, Wandera, has altered Apple users of a potential security flaw in the iOS operating system that could allow hackers to setup a rogue access point, fooling users iPhone’s to connect to the fake access point and steal Apple pay information, including credit card information.
The flaw allows attackers to create a malicious wireless hotspot and inject a fake “captive portal” page which mimics the real Apple Pay page asking iPhone, iPad and iPod users to enter their credit card information, which hackers can then steal. This Apple Pay page normally appears when setting up your credit cards for the first time through the service, but this scam brings the page back up, requesting card information.
If a nearby hackers setup a malicious wifi hotspot, customers at nearby Apple Pay friendly locations may be forced to connect to the hackers rogue hotspot and display the fake image. The image appears as Apple Pay itself, requesting you to re-enter your credit card details and follow the instructions on screen.
According to researchers, hackers can walk around point-of-sale machines with an Apple Pay terminal, forcing users iPhone to continuously launch the image in an effort to steal users credit card data.
However, there is one flaw to this flaw, researchers believe many may not fall for the attack as the fake portal page mimicking the Apple Pay interface is displayed under a fairly large “Log In” button.
“In high footfall locations, even a very small ratio of success will yield a large number of valuable credit card numbers,” Wandera CEO, Eldar Tuvey said in a blog post. “It’s all so easy for them. Using readily available technology, which they may be discretely carrying about their person, hackers can for the first time focus their efforts where their victims are at their most susceptible—at the checkout.”
Currently, the only workaround for the attack is to turn off your device’s WiFi off, as long as you wish not to be connected to a wireless network. This will stop your iOS device from connecting to open WiFi hotspots, protecting you from connecting to a hackers hotspot who wishes to steal your credit card information.
Mobile researchers have warned Apple of the glaring loophole, meanwhile, they recommend if any Apple Pay screens appear, exit the application and re-open the page to ensure its not a hackers captive portal. Ars reported Apple did not respond for comment regarding the Apple Pay flaw.
[Photo via Kelvinsong/Wikimedia [CC BY 3.0]]