I was craving a pumpkin spice lattee from Starbucks the other day. I didn’t have time to go get one myself, but one of my friends was going later in the day. He offered to pick one up for me. Yay!
Starbucks recently added support for Apple’s Passbook service in iOS 6, and I hadn’t yet been able to try paying for Starbucks with Passbook. I had already added my Starbucks Rewards Gold card to Passbook on my iPhone 5, and I like using my Gold card to pay whenever I can because it earns me points towards free drinks. So I had three choices: pay my friend back in cash, give him my Starbucks card from my wallet, or let him use my Passbook. I went with the third option, and it was as easy as taking a screenshot.
You see, Passbook is nothing but glorified bar codes. You add a card from a merchant and you scan the bar code on your iPhone’s screen at the register. It’s a bare bones method for storing financial info, and it needs more layers of security before Apple should even consider tying it to your bank account. But for now, it’s not that big of a deal.
In the case of Starbucks, I took a screenshot of my card and iMessaged it to my friend. He then loaded the screenshot up on his iPhone and presented it at the register to pay for my drink. I ended up getting the points towards a free drink without even being there.
The same process could be applied to any number of situations, like using a friend’s movie ticket in Passbook or MLB game stub.
Now this isn’t a security flaw per say, but it’s kind of unsettling that using someone else’s Passbook is as easy as taking a screenshot. Perhaps Apple should disable iOS screenshots in Passbook, but then I suppose you could just take a picture of the bar code you want. There’s no real way around it. A separate passcode for Passcode would be a nice additional layer of security, however. If Apple is really planning to mature Passbook into something bigger, security should be a top priority. Imagine being able to take a screenshot of a bank card.
Passbook has the ability to setup location-based push notifications for favorite locations, like a Starbucks you frequent in your local area. When you get near said Starbucks, Passbook will alert you with a push so you remember to use the card you stored in the app. It’s a nifty feature, but for some reason it bypasses the passcode lock on the iPhone. Others have noticed this behavior as well. I guess Apple did this to streamline the process of using Passbook quickly at checkout. Apple’s Camera app behaves the same way from the lockscreen—it bypasses the passcode to give you quick access.
I’d like to keep Passbook password protected. You can’t access the rest of iOS by swiping on a location-based Passbook notification, but you can fully use Passbook. An option to enable or disable this behavior would be nice.
As of right now, the worst that could happen is a thief steals your expensive iPhone and buys himself $20 in lattes. Not the end of the world. If Passbook does end up becoming my digital wallet one day, I’d like to think that getting my bank info would be harder than opening the app and taking a screenshot.