Hello, welcome to the Friday, October 1st, 2021 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

BBC is reporting in an interview with security researchers that it's possible to launch a machine- a middle attack against Apple's Express Transit payments.

Quite a few larger cities around the world are supporting Express Transit.

And what it really means is that you're able to pay using your iPhone without having to actually unlock your iPhone.

So it's meant to be a low friction way to check in and check out as you enter and leave

a particular public transit system, similar to what in the past you would have done with

a paper ticket or sometimes with an RFID ticket specific to a particular

transit system. Now, the vulnerability here apparently only affects a visa. So if you have a visa

card registered with express transit and it's your classic machine in the middle vulnerability

where an attacker would place a device close to the victim's iPhone, then really the information across the internet to a second device that's close to a payment terminal.

The attacker would then modify the data and would be able to change the amount as well as the

destination of the money that is being withdrawn from the particular card.

Now, this was reported to Apple and Visa about a year ago.

At this point, it has not been fixed yet.

It appears to be more of a visa problem

versus an Apple problem. And visa states that the attack isn't really practical, given that it

does require the attacker to play essentially this machine in the middle attack. So lots of moving parts here, and they also point out that the attack was only

demonstrate in a lap.

Of course, you could also argue that it was demonstrated in the lab because it would

probably not be sort of safe and ethical to do it at an actual terminal using an actual

...