A story made a lot of news this week because it involved a physical Apple Card being skimmed. It underlines the fact that people do not understand that when they fall back to using the physical card or entering the virtual number into a website manually, they are back to using the obsolete and dangerously insecure credit card infrastructure of old. That’s why Apple went to so much trouble to make Apple Pay the default way to use the card, and why they describe the physical card and the virtual number as fallback mechanisms for when Apple Pay can’t be used.
\n
\nWe’ve seen two distinct types of fraud against Apple Card \u2014 cloning attacks against the magnetic strip (not the chip for “Chip & PIN”), and leaking of the virtual number after entering it online.<\/p>\n
It’s impossible to protect the magnetic strip \u2014 that’s why most of the planet abandoned it years ago! This isn’t a problem with the Apple Card, but with the payment industry!<\/p>\n
With the virtual number Apple Pay users have a little more control than users of more traditional cards because they have the power to change the virtual number themselves without having to get a new card issued by their bank.<\/p>\n
It’s also vital to remember that from a legal point of view, customers are not liable for fraudulent transaction on any credit card \u2014 so it’s American banks that literally pay the price for their own failure to move with the times!<\/p>\n
Confusion reigned for a while when Apple updated the wording of their Safari privacy statement in a way that could be interpreted as saying they send all browsing data to Chinese firm Tencent as part of their phishing protections. To cut a long story short, no, that’s not what’s happening. Chinese iPhones use Tencent for phishing protection, and other iPhones use Google.<\/p>\n
This story revolves around an important security protection that’s enabled by default on all versions of Safari. The feature, named Fraudulent Website Warning<\/em>, protects users from known phishing URLs but putting up a warning when they browse to one.<\/p>\n The feature relies on blacklists maintained by search providers. Google’s Safe Browsing<\/a> API is probably the most comprehensive such blacklist, hence its use by just about every major browser (except Edge). Google’s API is not available in China, hence Chinese iPhones having to use an alternative service. The most comprehensive Chinese blacklist is the one maintained by Tencent, so it makes sense Apple would use it in China.<\/p>\n Apple have made clear that they only use Tencent in China, but we don’t have to take their word for it \u2014 security researchers have peeped under Safari’s bonnet and confirmed that the code does what Apple says it does.<\/p>\n The APIs for these services are also surprisingly privacy-aware. No cookies are sent, and the browser never actually sends the URLs to the blacklist providers for testing.<\/p>\n The way it works is that the browser periodically asks the blacklist provider to send a list of hashes of URL prefixes on which phishing URLs exist. These are hashes of parts of URLs. The browser keeps this list internally, and checks every website the user visits against it. Most of the time the prefix won’t match so the browser doesn’t need to do anything more to verify that the site is not blacklisted. If the prefix hash does match the browser asks the blacklist provider for hashes of all the full known-bad URLs with the matching prefix. The browser then checks a hash of the full URL against that more detailed list of hashes.<\/p>\n So, what does the provider know? Just two things: your IP address, and the prefix of a URL you visited, but not the full URL. No cookies are included in the API calls either.<\/p>\n IP addresses make very poor tracking identifiers \u2014 many humans share individual IPs, and individual humans move around between many different IPs. There simply isn’t a good mapping from single humans to single IP addresses, so they’re just not suited to reliable tracking!<\/p>\n I can’t see any scandal here, or indeed any cause for concern. The benefits of phishing protection far outweigh the very small privacy concerns over the purely hypothetical very inaccurate tracking the blacklist providers could deploy.<\/p>\n Note:<\/strong> When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" Security Medium 1 \u2014 Apple Card is not Magic A story made a lot of news this week because it involved a physical Apple Card being skimmed. It underlines the fact that people do not understand that when they fall back to using the physical card or entering the virtual number into a website manually, […]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[147,214],"tags":[46,3612,50,569,3613],"class_list":["post-19504","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-apple","tag-apple-card","tag-security","tag-security-bits","tag-tencent"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=19504"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19504\/revisions"}],"predecessor-version":[{"id":19505,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/19504\/revisions\/19505"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=19504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=19504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=19504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Links<\/h4>\n
\n
Notable Security Updates<\/h3>\n
\n
\n
Notable News<\/h3>\n
\n
\n
Suggested Reading<\/h3>\n
\n
\n
\n
\n
\n
\n
\n
\n
Palate Cleansers<\/h3>\n
\n
p\/q2-q4!<\/code> (it’s so-called descriptive notation<\/em> for an opening chess move). Thanks to the same set of ancient hashes we’ve known for some time that BASH author Stephen Bourne had a much more lax attitude to security since his password was bourne<\/code>, as did Eric Schmidt who used his wife’s name and some exclamation marks (wendy!!!<\/code>). Finally, we know that famous C-guru and Unix co-creator Brian Kernighan used the secure-looking but utterly insecure \/.,\/.,<\/code> (try type it and you’ll see it’s no better than qwerty<\/code>) \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n