University researchers have found a way to make fraudulent payments using Apple Pay from an iPhone locked with a Visa card in the digital wallet with Express Mode enabled.
The method is akin to a digital version of pick-pocketing. It works wirelessly even if the iPhone is in a bag or someone’s pocket and there is no transaction limit.
Counter payment tip
Examining relay attacks on contactless payments, researchers at the University of Birmingham and the University of Surrey in the UK found that iPhone devices confirm transactions under certain conditions.
For a payment to be made, iPhone users must authorize it by unlocking the phone using Face ID, Touch ID, or a password.
In some scenarios, however, such as paying for public transport, unlocking the device makes the payment process cumbersome for the user.
Apple Pay fixed the issue with Express Transit, a feature that allows you to complete a transaction without unlocking the device.
Express Transit works for specific services, like ticket counters, with card readers that send a non-standard sequence of bytes that bypass the Apple Pay lock screen.
In combination with a Visa card, “this feature can be used to bypass the Apple Pay lock screen and pay illegally from a locked iPhone, using a Visa card, to any EMV reader, for n ‘any amount, without the user’s permission “.
The researchers were able to emulate a barrier transaction using a Proxmark device acting as a card reader communicating with the target iPhone and an Android phone with an NFC chip that communicating with a payment terminal.
As seen in the image above, the method is an active man-in-the-middle replay and relay attack where Proxmark plays back the “magic bytes” to the iPhone to trick it into believing that this is an over the counter transaction so user authentication to authorize payment is not required.
The attack is more complicated than that, however. The researchers explain that certain flags need to be set by changing certain bits to allow authentication of offline data for online transactions, used in readers that may have intermittent connectivity (eg, transit system inputs).
“The attack works by first replaying the magic bytes on the iPhone, so it thinks the transaction is happening with an EMV transport player. Second, when relaying EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, must be changed so that the bits (flags) for Offline Data Authentication (ODA) for Supported online permissions and supported EMV mode are set. . “
Looking further into the problem, the researcher found that they could change the card transaction qualifiers (CTQs) responsible for setting limits for contactless transactions.
This modification is to trick the card reader that the authentication step on the mobile device has been completed successfully. During the experiment, researchers were able to complete a transaction of 1,000 GBP from a locked iPhone. They tested the attack successfully on iPhone 7 and iPhone 12.
The tests were only conclusive with the iPhone and Visa cards. With Mastercard, a check is made to ensure that a locked iPhone only accepts transactions from card readers with a transit merchant code.
When trying the method with Samsung Pay, researchers found that transactions are still possible with locked Samsung devices. However, the value is still zero, and carriers charge for tickets based on the data associated with those transactions.
The results of that research were sent to Apple and Visa in October 2020 and May 2021, respectively, but neither resolved the issue.
Instead, the two companies transferred the burden of a patch to each other, so the vulnerability is still there and can be exploited with standard hardware and software.
Details of the research are available in an article titled “Practical EMV Relay Protection,” which will be presented at the 2022 IEEE Security and Privacy Symposium.
Its authors are Andreea-Ina Radu and Tom Chothia from the University of Birmingham, and Christopher JP Newton, Ioana Boureanu and Liqun Chen from the University of Surrey.