Beware of ingenious fraud with Touch ID, penetrated into the App Store
One of the advantages of the Touch ID system is how well it works. It rarely takes more than one moment to unlock an iPhone or approve a purchase. Recently, however, several fraudulent applications turned this ease of use in weapons against all unlucky to download them.
Several unrelated sources report applications that are supposedly related to health monitoring, suggest users to track calories consumed, measure heart rate or take or other legitimate actions. After you scan a fingerprint, such an application quickly displays a pop-up window with an internal purchase and deducts from $ 90 to $ 12? at the same time reducing the brightness of the screen so that this window is difficult to see. In some cases, even if you refuse to use the Touch ID, the application asks you to press a button to continue, and tries to make an internal payment.
It is impossible to take exorbitant, unscrupulous amounts from users within applications by the rules of the Apple App Store; the applications described, called the named “Heart Rate Monitor”, “Fitness Balance app” and “Calories Tracker app”, have already been removed from there. It is not known whether one developer made them under different accounts or different ones. In any case, their work was not based on malware, but on simple deception - and on a good understanding of how we use Touch ID.
“As soon as you put a finger on the button, it starts scanning, so it’s ready in advance and works very quickly,” says Stephen Cobb, chief security researcher at an information security company ESET, who wrote about two fake applications on Monday. “Someone cunning invented and embodied the way in which people could be made to do something they didn’t want.”
The Touch ID system has long been used not only to unlock the phone. It is used for Apple Pay and authorization in various applications. Working with it is quick and easy, so users no longer think about it when asked by the application. And when you put your finger on the "Home" button, there is no additional request confirming that you have done this on purpose.
Cobb compares this scenario with the early era of QR codes, when the scanners had no defense mechanism that checked where they would send you a box with black squiggles. “It's absolutely the same thing,” he says. - Great idea, new input type, fingerprint reader, allowed us to create a huge variety of programs. The absence of a confirmation step allows you to bypass the user's confirmation. ”
It is not known how many people lost money because of these fraudulent activities, although in a recent 3r-335. discussion thread on reddit
at least a few people responded. Worse that this approach is easy to reproduce. Perhaps the initial selection of programs for the App Store goes and carefully, but fraudsters will be able to bypass it, especially after receiving initial approval.
“Fraudulent apps are a problem for both iOS and Android, although they are smaller for the first OS due to a more closed ecosystem,” said Jerome Segura, head of threat research at Malwarebytes. “However, fraudsters often come up with tricky ideas to circumvent the initial checks. Over time, they update the applications, and correct the procedures for internal purchases - where most of the problems are concentrated. ”
The good news is that people with iPhone X and newer models will not have such problems, primarily because these models do not have a Home button. And to use Apple Pay through Face ID, you must double-click on the side button.
But this is not easier for older iPhones - and there are still a lot of these models on hand. The best that owners of iPhones can do up to the 8th model is to stay alert and use Touch ID only in applications that have reasons to trust. Apple, for its part, can also reduce the likelihood of success of such a scam by more rigorously evaluating applications or entering an additional confirmation step for using Touch ID, although such measures will cause additional irritation. And it may not make any sense for Cupertino, unless the scale of such problems does not increase to unacceptable sizes - especially due to the fact that the Touch ID is being phased out over the past year.
“I repeat that the convenience and ease of use of new technologies can turn to us the other side,” says Segura. “Confirming purchases with the touch of a finger is a seamless procedure, but unfortunately, fraudsters just as easily can use it to the detriment.”