TfL cautions users over pitfalls of Apple Pay

Apple Pay on the tube could leave you charged twice, stuck at the gates or with a penalty fare, warns Transport for London. Photograph: Apple/PA

Transport for London has warned tube, train and bus passengers paying with Apple Pay on iPhones and Apple Watches not to let their batteries run flat or they could get stuck at gates and face penalty fares.

TfL advises users that, as with other smartphone payment systems including EE’s Cash on Tap, Apple Pay only works if a device has power. It warns that, if the battery runs out in the middle of a journey, a user will not be able to tap out, which means they could be charged a maximum fare.

“If an inspector asks you to touch your iPhone or Apple Watch on their reader, it will not be able to be read and you could be liable for a penalty fare,” TfL says.

TfL also lists having both an iPhone and an Apple Watch as a potential issue – with a risk of being charged twice. It also warns that receiving a call while attempting to touch into or out of the gates will also cause issues, and that users with multiple cards on their account must remember to use the same one or potentially be charged twice.

For overseas travellers using Apple Pay, TfL warns it may not work and that users could be charged currency conversion fees.

Another problem with smartphone payment systems on public transport is the speed with which they operate. One of the biggest obstacles holding back contactless credit cards and smartphones with near-field communication chips from being used on the London Underground was the time it took for the system to authenticate the user and open the gates.

Oyster cards operate at sub-second times, which are faster than paper tickets and contactless cards. Apple Pay and other smartphone systems operate at a rate that is slightly slower than contactless cards, if they are pre-authorised.

For the iPhone that means selecting the correct card and having authenticated it with a fingerprint before touching it on the card reader, which has led to irate commuters and queues at the gates.

Samsung 'investigating' claims of fingerprint hack on Galaxy S5

Samsung Galaxy S5 review Photograph: Samuel Gibbs for the Guardian

Samsung is “investigating” claims from security researchers that hackers can steal copies of fingerprints from the company’s 2014 flagship Galaxy S5 smartphone, as well as other Android devices, by exploiting a weakness in the operating system’s handling of biometric data.

According to security firm FireEye, Android fails in its attempts to render fingerprint information inaccessible to most apps by sequestering it in a “secure zone” on the phone. The flaw is simple: rather than trying to break into the secure zone itself, the attackers simply focus on reading the data coming directly from the fingerprint sensor before it reaches the secure zone.

With this information, it’s possible to reconstruct the fingerprint, and potentially use it elsewhere, the researchers told Forbes’ Thomas Fox-Brewster.

“If the attacker can break the kernel, although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” one of the researchers, Yulong Zhang, told Forbes. “You can get the data, and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”

The vulnerability is fixed on the newest version of Android, Lollipop – which runs on newer devices, including the Galaxy S6 – and users who can upgrade should. As well as Samsung, some – but not all – other Android devices running versions earlier than Lollipop are affected, though the Galaxy S5 was the only one named. Samsung says it “takes consumer privacy and data security very seriously” and is investigating FireEye’s claims, which are due to be revealed in more detail at the upcoming RSA security conference.

Apple’s TouchID system, present on the iPhone 5s and iPhones 6, uses a similar trusted zone architecture, but no attacker has yet demonstrated the ability to lift fingerprints off the device using a software hack. The fingerprint sensor has, however, been shown to be vulnerable to spoofed fingerprints: a fake fingerprint, printed onto a laminated sheet and stuck to a real finger, can fool the fingerprint sensor.

Of course, stealing a fingerprint through a software hack may not be the easiest way to bypass biometric security: in December, a hacker demonstrated the ability to spoof a German minister’s fingerprints from just a photograph of her hand.