Apple Watch Flaw Lets Thieves Use Apple Pay

UPDATED 7:30 EDT Thursday with a statement from Apple.

Quick-fingered thieves may be able to steal an Apple Watch right off your wrist and use your Apple Pay account to buy things, a YouTube video posted yesterday (May 13) shows.

If a passcode (required to use Apple Pay) is set on an Apple Watch, the screen locks if the watch leaves the user's wrist for more than a second. But Nelson Aguilar and Neil Gonzalez of WonderHowTo demonstrated that if you press two fingers to the underside of an Apple Watch while using the other hand to undo the clasp, it may be possible to slip the watch onto another person's wrist without triggering the screen lock.

Apple Pay doesn't require the user to re-enter the passcode when making a purchase, so this technique would give a thief access to the legitimate user's account. Aguilar used Gonzalez's Apple Watch to go shopping at Walgreens, and the video shows that Apple Way would work even out of range of Gonzalez's iPhone -- all without Gonzalez's passcode.

MORE: Best Smartwatches to Buy Right Now

Tom's Guide was able to remove an Apple Watch from the wearer's wrist without triggering the screen lock, and maintain access to the wearer's Apple Pay account, although it would take a lot of practice to remove the watch without the wearer noticing.

Apple did not immediately reply to a request for comment. We'll update this story if it does.

This is the second Apple Watch security vulnerability to be disclosed in 24 hours. A separate YouTube video posted today (May 14) showed that an Apple Watch passcode can be entirely bypassed, and the watch reset, by putting an Apple Watch on its charging dock at just the right moment during its forced-reset procedure. (Tom's Guide was able to replicate that bypass as well.)

Of course, resetting the Apple Watch would delete all user information, including credit cards linked to Apple Pay. But combining these two techniques could let a dexterous thief on a crowded bus or subway car steal an Apple Watch, max out the user's Apple Pay credit cards and then reset the watch before selling it to a third person.

Apple Pay recently became a favorite tool of credit-card thieves, who found it easy to add stolen cards to their own iPhones. But that was due to lax procedures at the banks that had to verify the cardholders' identities, and not anything to with Apple Pay's own security procedures.

If your Apple Watch is stolen, you can log into your iCloud account to unlink your credit cards from Apple Pay. Apple says that your actual credit or debit card numbers are never shared by Apple with merchants or transmitted with a payment, but you may want to alert the banks that issued your credit or debit cards anyway to ensure that you don't end up responsible for fraudulent charges​.

UPDATE: An Apple spokesman referred us to this passage on the Apple Pay page on the Apple website: "You can stop the ability to make payments from credit and debit cards on your Apple Watch with iCloud. Just log into iCloud.com and click on Settings."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.