Want To Share Your iPhone’s Passbook? It’s As Easy As Taking A Screenshot

Want To Share Your iPhone’s Passbook? It’s As Easy As Taking A Screenshot

Sharing lattes has never been so easy.

I was craving a pumpkin spice lattee from Starbucks the other day. I didn’t have time to go get one myself, but one of my friends was going later in the day. He offered to pick one up for me. Yay!

Starbucks recently added support for Apple’s Passbook service in iOS 6, and I hadn’t yet been able to try paying for Starbucks with Passbook. I had already added my Starbucks Rewards Gold card to Passbook on my iPhone 5, and I like using my Gold card to pay whenever I can because it earns me points towards free drinks. So I had three choices: pay my friend back in cash, give him my Starbucks card from my wallet, or let him use my Passbook. I went with the third option, and it was as easy as taking a screenshot.

You see, Passbook is nothing but glorified bar codes. You add a card from a merchant and you scan the bar code on your iPhone’s screen at the register. It’s a bare bones method for storing financial info, and it needs more layers of security before Apple should even consider tying it to your bank account. But for now, it’s not that big of a deal.

In the case of Starbucks, I took a screenshot of my card and iMessaged it to my friend. He then loaded the screenshot up on his iPhone and presented it at the register to pay for my drink. I ended up getting the points towards a free drink without even being there.

Want To Share Your iPhone’s Passbook? It’s As Easy As Taking A Screenshot

Passbook notifications bypass the passcode lock on your iPhone.

The same process could be applied to any number of situations, like using a friend’s movie ticket in Passbook or MLB game stub.

Now this isn’t a security flaw per say, but it’s kind of unsettling that using someone else’s Passbook is as easy as taking a screenshot. Perhaps Apple should disable iOS screenshots in Passbook, but then I suppose you could just take a picture of the bar code you want. There’s no real way around it. A separate passcode for Passcode would be a nice additional layer of security, however. If Apple is really planning to mature Passbook into something bigger, security should be a top priority. Imagine being able to take a screenshot of a bank card.

Passbook has the ability to setup location-based push notifications for favorite locations, like a Starbucks you frequent in your local area. When you get near said Starbucks, Passbook will alert you with a push so you remember to use the card you stored in the app. It’s a nifty feature, but for some reason it bypasses the passcode lock on the iPhone. Others have noticed this behavior as well. I guess Apple did this to streamline the process of using Passbook quickly at checkout. Apple’s Camera app behaves the same way from the lockscreen—it bypasses the passcode to give you quick access.

I’d like to keep Passbook password protected. You can’t access the rest of iOS by swiping on a location-based Passbook notification, but you can fully use Passbook. An option to enable or disable this behavior would be nice.

As of right now, the worst that could happen is a thief steals your expensive iPhone and buys himself $20 in lattes. Not the end of the world. If Passbook does end up becoming my digital wallet one day, I’d like to think that getting my bank info would be harder than opening the app and taking a screenshot.

  • dcborn61

    How much do you have to trust a friend to give him a screenshot of your Starbucks card? I don’t have any friends I’m that close with.

  • Will Abbey

    You can use your passcode to protect your passbook as well. Just go to your passcode settings and under “Allow Access When Locked” change the setting for passbook. Easy.

  • kavok

    How much do you have to trust a friend to give him a screenshot of your Starbucks card? I don’t have any friends I’m that close with.

    Yes, who is to say they don’t continue to use the screen shot later on? Of course you will pretty much know what is going on when you see your balance dwindle into nothing, and you know who would be doing it. Definitely would have to be someone you trust. Even on the Starbucks card it says treat it like a bank card and secure it appropriately.

  • noksucow

    Why doesn’t the app just create a new code for each transaction? I believe that’s how the Dunkin’ Donuts app does it.

  • mr_bee

    This is why they bought the fingerprint reader technology for iPhone 5s or iPhone 6.

  • mr_bee
    How much do you have to trust a friend to give him a screenshot of your Starbucks card? I don’t have any friends I’m that close with.

    Mostly all they can do with it is earn money for you though. It’s just a coupon. It’s no different than buying someone a coffee or lending them your paper Starbucks card. What’s the danger?

  • andrewflon

    You shouldnt need to worry about such Pass copying.

    When a business sets up a Passbook system they need a central server. The server software manages all its Passes – it handles Pass creation, distribution, authentication and updates.

    When you receive a new Pass (via weblink or as an email attachment – created especially for you by the server) you have to ‘Add’ it to your Passbook. This causes your phone to contact the server and they exchange several packets of info (serial number, Passtype ID, authentication token and Device ID). The server now has a specific Device ID matched to the Pass.

    If someone was to take a screen shot of your Pass and then take it to a store to redeem it, the Server will receive the Pass serial number by decoding the barcode. It then sends a message to the phone requesting the authentication token it previously exchanged during registration. If it doesn’t match with the right Device ID then the Server should reject it as an invalid Pass.

    Apple has carefully designed how Passbook works – you can’t break security by simply taking a screenshot.

    What if someone steals your phone and uses your Passbook coupons, or Storecards ? If they are simple Passes that you received for free then bad luck. If they are more important (eg they include a cash balance, or are an airline boarding pass) then the Business should attach a photo ID to the Pass during registration for backup security.

    If the Server is designed properly, Passbook is very secure.

    Andrew Phillips
    Flon Solutions

    P.s. check out these Cool Passes
    http://www.flonsolutions.com/passes.html

  • Shane Bryson

    “Mostly all they can do with it is earn money for you though. It’s just a coupon. It’s no different than buying someone a coffee or lending them your paper Starbucks card. What’s the danger?”

    Those cards carry a balance. They could be spending money you have on your Starbucks card. For all intensive purposes, its a Starbucks debit card. Very easy to steal money with.

About the author

Alex HeathAlex Heath is a senior writer at Cult of Mac and co-host of the CultCast. He has been quoted by the likes of the BBC, KRON 4 News, and books like "ICONIC: A Photographic Tribute to Apple Innovation." If you want to pitch a story, share a tip, or just get in touch, additional contact information is available on his personal site. Twitter always works too.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News, Top stories | Tagged: , , , |