iPhone’s auto-connectivity with Wi-Fi could trick users to share credit card data on spoofed Apple Pay

Apple have been alerted by researchers at Wandera, a mobile security company to a potential security susceptibility in iOS that could be used by hackers to trick users into sharing their personal and credit card data information. Depending on the default behavior of iOS devices with Wi-Fi turned on, the vulnerability could be used to put a fake “captive portal” page that acts like the Apple Pay interface.

Ars has in the past reported on the attack leverages, which is a well-known issue: iOS devices with Wi-Fi turned on will by default try to link to any access point with a known SSID. Whenever the device is not connected to a network, those SSIDs are transmitted by “probe” messages from the device. An inferior access point could use a probe request capture and pretend as a known network, and then put up a pop-up screen behaving as any web page or app.

The Wandera attack uses this action to get a mobile device to connect and then propels a pop-up portal page—similar to the ones used when connecting to a public WiFi service to show a Web-based login screen—that is created to look like an Apple Pay screen for putting credit card data information. The attack could be carried on by someone nearby a customer who is conducting an Apple Pay transaction or has just completed so that the user is tricked into believing Apple Pay itself is asking that the credit card data be entered again. An attacker could wait or walk around idly near a point-of-sale system with an Apple Pay terminal and continuously carry on the attack.

However, this attack may not trick many people considering that the fake captive portal page is shown underneath a “Log In” title bar.

In a statement e-mailed to Ars, Eldar Tuvey, CEO of Wandera said “In high footfall locations, even a very small ratio of success will yield a large number of valuable credit card numbers. It’s all so easy for them. Using readily available technology, which they may be discretely carrying about their person, hackers can for the first time focus their efforts where their victims are at their most susceptible—at the checkout.”

The real susceptibility used here is iOS’ automatic WiFi connection and the way in which iOS shows the captive portal pages. Some easy ways to stop this kind of attack is switching off the Wi-Fi when not on purpose connecting to a network. The Wandera researchers suggested that Google and Apple should “consider adopting a secure warning when displaying captive portal pages to users, so that users exercise caution.” In addition, they also suggested that users should close and re-open payment applications to input credit card data and use the camera capture capability of the apps to enter credit card data whenever they are able to do it.

Ars is still awaiting an official reply from Apple, when contacted them regarding the same. This spoof as the screenshots suggest looks notably different from Apple Pay’s actual interface. Further, a card registration screen appearing after a transaction is not a behavior expected for the service, as Apple Pay never requests for credit card data during a transaction.