$99 pinch for Touch ID users
Scammy iOS apps trick Apple’s Touch ID into approving payments
■ ONCE YOU scan your fingerprint, though, the apps briefly show an in-app purchase popup instead, charging anywhere from $90 to $120, and simultaneously dim the screen to make it hard to see the prompt.
Washington, Dec. 4: A few scammy iOS apps have been taking advantage of Apple’s Touch ID by trying to trick users into making payments with false promises of using the fingerprint scans for fitness data, according to ESET’s WeLiveSecurity blog.
In separately reported incidents, apps posing as health assistants invite users to use Touch ID before they show a calorie tracker, or take a heart rate measurement, or some other seemingly legitimate function.
Once you scan your fingerprint, though, the apps briefly show an inapp purchase popup instead, charging anywhere from $90 to $120, and simultaneously dim the screen to make it hard to see the prompt.
In some cases, even if you decline to use Touch ID to enable a feature, the app asks you to tap to continue — and try the in-app payment scam instead.
Charging exorbitant, unscrupulous fees within apps violates Apple’s App Store guidelines; the apps in question, innocuously named “Heart Rate Monitor,” “Fitness Balance app,” and “Calories Tracker app,” have all been pulled.
It’s unclear if they came from separate developers, or one person operating multiple developer accounts. Either way, to pull off the scam they all rely not on malware but on duplicity — and an insight into how we use Touch ID.
“As soon as you put your finger on there, it starts scanning, so it’s ready and acting very quickly,” says Stephen Cobb, senior security researcher at cybersecurity firm ESET, which wrote about two of the bogus apps Monday. “Someone cleverly figured out they could use the way that’s implemented to get people to do things that they don’t want to do.”
Touch ID has long been used for more than just unlocking your iPhone, after all. You use it for Apple Pay and for authentication on various apps. It’s fast, it’s easy, and it works, which means you’re less likely to give much thought to using it when an app asks you to. And when you do put your finger on the home button, there’s no extra prompt to confirm that you actually meant to.
Cobb compares the scenario to the early days of QR codes, when scanners had no built-in mechanisms to verify where that square of black squiggles would send you. “This is exactly the same thing,” he says.
“This great idea for a novel form of input, your fingerprint, has been enabled in a wide range of programs. The fact that there’s no confirmation step involved in the way that this input is set up enables you to bypass user confirmation.”
It’s unclear how many people actually lost money to the scams, although a recent Reddit thread indicates that a least a few have. — Agencies