Apple Pay – Great New Feature or Future Nightmare?

Apple Plays

Apple introduced the iPhone 6’s this week and spent time talking about the size, display and CPU speed but it also spent an exorbitant amount of time, marketing dollars  and effort to push a new feature most people could really care less about, Apple Pay.

What is Apple Pay?

Apple Pay is a payment service on the iPhone that stores and transmits your credit card information.  Let that sink in before moving on.


Apple has not released much in the way of details yet on exactly how Apple Pay works to the public and the media has several different guesses of how it thinks the system will work.  Gartner claims no credit card information will be stored on the phone, using your iTunes credit card information, others including Apple say your card details will be stored on the phone.  The Washington Post writer assures his readers that by using the iPhone finger print reader no one else will be able to make purchases with your phone.  He doesn’t bother to mention how the fingerprint reader was also hacked, in less than two days after it was released.  And that  virtual card numbers are what will be sent to the merchant from your phone instead of your actual card number.

Using the docs from, a third party offering an API to allow merchants to use Apple Pay without needing to do all the integration on their own it would seem that credit card information is stored on your iPhone and depending on the merchant you are using you will be sending them your card number, CVC code, name, expiration date and billing address, all information that they can choose to store for later use if they decide they want to.’s documentation includes frightening phrases including “Make sure any communication with your server is SSL secured to prevent eavesdropping.”  Shouldn’t Apple Pay force SSL communication?

This is all speculation at this point but I think likely has better information than the Washington Post and Gartner at this point.

However, I couldn’t leave out this little gem out from as they stay in lock step with the party line claiming anyone who doesn’t fully embrace Apples latest feature as the greatest change to the monetary system since the advent of coins is a lunatic alien abductee.

“Those of you reaching for your tinfoil hats will be relieved to hear the usual security and privacy spiel from such an announcement involving sensitive financial data. Merchants cannot see card numbers, Apple cannot tell what you are buying, and if you lose your phone, you can simply suspend the service using Find My iPhone.”

All but the last part about using Find My iPhone is incorrect, but it doesn’t matter because they don’t address the real security concerns.

Update: According to Nerd Wallet, Apple will get 0.15% of each transaction paid to them by the bank issuing the credit card.  This new additional fee on top of the regular fees paid per transaction for the convenience of using a card instead of cash will unwittingly be paid for by consumer.  When you think about the concept of paying a company to lend you your own money with interest and fees added on to it you may begin to understand that using cash and living within a realistic budget is better than using Apple or any credit card company.

The Real Point Please?

Here is the main problem with what Gartner, WAPO all of the internet sites claiming there is nothing to worry about.  They all talk about how the transaction is secure, how the merchant doesn’t actually get your card details, how a random number or one time token is going to keep your purchase secure.  Great.  But what about the phone?  How secure is the device where you are storing the cards?  With all the information needed to use each one of your cards.  I don’t recall Apple talking about how secure their phone and new OS are, none of the websites fighting for your precious monetized clicks talk about how secure the platform storing all your data is.  Instead they make claims to ensure you that Apple has it all figured out, after all it’s Apple! They never have security problems, just ask Kate Upton, Kirsten Dunst, Jennifer Lawrence or Jonathan Zdziarski.  Jonathan is the researcher that presented a paper recently on how every iOS device is running hidden and undocumented services that allow access to phone data even the ability to bypass the iTunes backups encryption all without needing physical access to your phone.  Which it doesn’t take much thought to figure out exactly how someone could get at all the photos of all celebrities, your spouse or your own photos stored in iCloud.

When Target and the other retailers had their POS systems hacked, they did not attack the individual payments, they wanted the card data so they could sell the cards on the market and then those who bought the cards would use them to make fraudulent purchases, clean out accounts or worse.  Talking about how a single transaction is secure is only interesting if you are a merchant, bank, card processing company or Apple.  The consumer loses nothing if a retailer or bank doesn’t secure their transaction because they are covered.  But if the consumer has their savings account drained to $0, well they are just out all of their savings.  The banks, card processor and retailer will happily take that stolen money.

One Last Thing

Apple Pay uses NFC to transmit your purchase details.  In 2012, 2013 and 2014 there have been demonstrations on how to hack NFC to take advantage of payment systems to steal data, send payments and transfer funds.  It’s unfortunate that Apple and the media won’t spend the 30 seconds it takes to Google NFC credit card hack and watch the videos, read the conference notes and articles on how insecure NFC really is.

Apps use NFC technology to hack Credit Card credentials
Oct 16, 2013 – After months Google still hasn’t fixed the issue letting Apps from the Play Store use NFC technology to steal Credit Card credentials.
[PDF] NFC Hacking: The Easy Way – Def Con…/DEFCON-20-Lee-NFC-Hacking.pdf
by E Lee – ‎Cited by 5 – ‎Related articles

NFC Hacking: The Easy Way. DEFCON 20 … between chipped credit cards and POS terminals … Contactless Credit card reader (e.g. VivoPay, Verifone).
[PDF]Hacking the NFC credit cards for fun and debit – Hackito …
Apr 3, 2012 – Hackito Ergo Sum 2012 – April 12,13,14 – Paris, France. 4. How to recognize an NFC-enabled credit card? ○. Small wave logo printed on the  …

How NFC phones can steal your credit card info. – YouTube
Jan 27, 2012 – Uploaded by Id Stronghold

How NFC phones can steal your credit card info. … Building a RFID Zapper – Hacking a Disposable Camera by Tobias Othmar Hermann  …

Hacking the NFC credit cards for fun and debit by … – YouTube
Jul 24, 2012 – Uploaded by Shakacon LLC

Hacking the NFC credit cards for fun and debit by Renaud Lifithitz … The way of do business very much easy using NFC business card..

[NFC HACK] : Use Pass Snow card or transport card with
Mar 8, 2013 – Uploaded by iHeathOfficial
[NFC HACK] : Use Pass Snow card or transport card with your … Cloning Credit Cards: Pre-play and downgrade attack (full length) by Michael  …

Android NFC hack lets subway riders evade fares | Naked ……/android-nfc-hack-lets-subway-rider…
Sep 24, 2012 – Android NFC hack lets subway riders evade fares … Benninger said during his talk that he could replenish his card endlessly, according to Computerworld: “I can do …. Carwash POS systems hacked, credit card data drained.

Credit Card stealing Apps from NFC cards – Latest News ……/credit-card-stealing-apps-from-nfc-cards/
Apr 29, 2013 – This report in Mashable and CBS reports that there’s app’s now available to read and hack the NFC data on credit cards with the purpose of  …

The Perfect Hack for Enabling NFC Credit Card Payments ……
Business Insider
Aug 3, 2011 – Remember the good ol’ days when you actually had to swipe your credit or debit card to make a pay…

Hacking the NFC Credit Cards for Fun and Debit by Renaud ……/hacking-the-nfc-credit-cards-for-fun-and-debit-by…
Jul 2, 2012 – Small wave logo printed on the card: “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 4 Shakacon 2012 – June 18-21  …

Recovering Your Files from CryptoLocker Free Tool from FireEye

Your Locker of Information for CryptoLocker Decryption | FireEye Blog.

Kudo’s to FireEye for not only building and hosting this tool so consumers can get their files back but also for their effort to acquire a large number of the private keys that made this possible.  FireEye does some very great work and always acts honorably.

To help solve the problem of victims’ files still being encrypted, we leveraged our close partnership with Fox-IT. We developed a decryption assistance website and corresponding tool designed to help those afflicted with the original CryptoLocker malware.”

Researcher Reveals: All iOS Devices Allow Access to All Data Through Hidden Services

Apple Think Different

JONATHAN ZDZIARSKI presented how all iOS devices are running Apple created, undocumented, hidden services, that allow access to all data on your device, even encrypted data.  His slides are available here.  Below I have summarized some of the more interesting parts and tried to put them in less technical terms.


  • Apple has worked hard to make iOS devices reasonably secure against typical attackers
  • Apple has worked hard to ensure that Apple can access data on end-user devices on behalf of law enforcement
  • Almost all native application / OS data is encrypted with a key
  • As of iOS 7, third party documents are encrypted, but Library and Caches folders are usually not
  • Once the device is first unlocked after reboot, most of the encrypted data can be accessed until the device is shut down
  • The undocumented services running on every iOS device help make this possible
  • Your device is almost always at risk of spilling all data, since it’s almost always authenticated, even while locked

Undocumented Services Overview

  • Accessed through lockdownd, requiring pairing authentication
  • iOS 7 trust dialog helps, but third party accessories are making people stupid again
  • Bypasses “Backup Encryption” mechanism provided to users
  • —Can be accessed both via USB and wirelessly (WiFi, maybe cellular); networks can be scanned for a specific target
  • —If device has not been rebooted since user last entered PIN, can access all data encrypted with data-protection (third party app data, etc)
  • —Other (more legitimate) services enable software installation, APN installation (adding proxy servers) for continued monitoring
  • A number of commercial law enforcement forensic manufacturers have started tapping these services:
    AccessData (Mobile Phone Examiner)
  • A number of private tools and source are out there as well to take advantage of these services

Ransomware on your iPhone?  Oh my!  Using your own iOS pictures for blackmail? OH MY!!

The undocumented and hidden services your i-device is running that Apple never told you about

First service:

  • Completely bypasses Apple’s backup encryption for end-user security
  • Very intentionally placed by Apple and intended to send data from the device by request
  • Can collect data from the phone that user has deleted but still remains on the device because the memory has not been reused yet
  • This undocumented, hidden service can collect and send any and all data on your device, including data you probably didn’t know your device even kept but the list is too long to include

Second Service:

  • Allows access to the Library, Caches, Cookies, Preferences folders as well
  • These folders provide highly sensitive account storage, social/Facebook caches, photos and other data stored in “vaults”, and much more

Additional services: Provides detailed network usage per-application on a per-day basis Given an enterprise certificate, can use this to load custom software onto the device (which can run invisibly and in the background) Syslog, provides a lot of details about what the device is doing, and often leaks user credentials from 3rd party apps via NSLog()

Already documented and fairly public method of using these undocumented services 

DROPOUTJEEP – a software implant for iPhones that allows for the ability to remotely copy or place files on a device, retrieve text messages, contacts, voicemail, location information, turn on mic, camera, cell tower location.  Requires “close access” for implant, which means they don’t need to physically touch the device bluetooth or WiFi might be ‘close enough’.  Data extraction is done over GPRS (cellular essentially) or through text messaging.  Ironically all communication with the implant is “covert and encrypted”.

If you want to prevent some of these attack surfaces there is a simple and free solution from Apple called Apple Configurator that will allow you to prevent it from pairing with other devices.

Breach at Goodwill Industries

Breach at Goodwill Industries

Credit card and ATM card info stolen

Financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide. For its part, Goodwill Industries International Inc. says it is working with the U.S. Secret Service on an investigation into these reports. According to sources in the financial industry, multiple locations of Goodwill Industries stores have been identified as a likely point of compromise for an unknown number of credit and debit cards. In a statement sent to KrebsOnSecurity, Goodwill Industries said it first learned about a possible incident last Friday, July 18. The organization said it has not yet confirmed a breach, but that it is working with federal authorities on an investigation into the matter. “Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email. It remains unclear how many Goodwill locations may have been impacted, but sources say they have traced a pattern of fraud on cards that were all previously used at Goodwill stores across at least 21 states, including Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin.


June 2014 Cyber Attacks Statistics |

June 2014 Cyber Attacks Statistics |

Paolo Passeri does an excellent job of breaking down the month of June’s attacks showing

  • Daily Trend of Attacks
  • Motivations Behind Attacks
  • Distribution Of Attack Techniques
  • Distribution of Targets
  • Distribution of Targets Belonging to Industry

All in great looking charts which I won’t repost here I believe you should visit his site to view his work.

Daily Trends of Attack June 2014