Naked Security Naked Security

Apple Watch lets nimble-fingered crooks use your Apple Pay

Nimble-fingered crooks can exploit the one-second lag before Watch senses it's off a wrist and asks for a passcode.

apple-watch-550As the sleeve-tattooed among us already know, Apple Watch needs nice, clear access to skin.

As long as it’s got that contact, it won’t pester users to re-enter their passcode every time they want to use an app like, say, Apple Pay.

That’s thanks to Apple having secured Watch against fraudulent use by outfitting it with sensors that are supposed to be able to tell if someone is wearing the device.

If the gadget’s heart rate sensor can’t detect a user’s pulse, and if the watch can’t detect direct contact with a user’s skin, it could cause apps, including Apple Pay, to stop and repeatedly ask for a passcode.

That’s both a good thing and a potential security flaw, as it turns out.

Presumably, Apple didn’t want the wearer to be asked for a passcode whenever the Watch shifted on his or her wrist.

That means there’s actually a brief window of time – just one second – in which Watch will put up with losing skin contact without prompting for passcode entry.

As recently reported by WonderHowTo, a nimble-fingered thief could use that one-second delay to slip two fingers over the rings on the back of the Watch – which include the four components of the heart rate sensor, with two green/infrared LEDs, and two photodiode sensors – and lift the Watch off a victim’s wrist.

In other words, Watch can’t tell the difference between two fingers of a thief and the wrist of the Watch’s rightful wearer.

Then, after strapping the stolen Watch onto his or her own wrist, the thief can go buy goodies using their victim’s Apple Pay account.

Maybe they might want to pick up some potato chips, as the GadgetHacks guys demonstrated in this YouTube video.

With Apple Pay accepted at “hundreds of thousands” of retail locations, the possibilities for fraudulent purchases go way beyond snacks.

The scam doesn’t work all the time, the device hackers admit. And you’d have to be a pretty dexterous pickpocket to pull it off without the device’s owner noticing (but then again, pickpockets have been doing exactly that since wrist watches were invented.)

If you do lose your Watch, immediately unlink your credit cards from Apple Pay, which you can do directly from the Apple Watch application on your iPhone.

Make sure you’re using a strong passcode too so that a thief who lifts your Watch can’t wipe it and use it as their own by syncing it to another iPhone.

Make the crooks use their own money to buy their junkfood, not your Apple Pay account!


Image of girl wearing Apple Watch courtesy of Giuseppe Costantino / Shutterstock.com.