Why is this important: Everyone loves the convenience of contactless payments, especially when you’re in a rush. However, this convenience often comes at the cost of reduced security. It turns out that a combination of flaws in the Apple Pay and Visa system can allow a hacker to make unauthorized payments using only a stolen and powered iPhone.
A group of researchers from the Universities of Birmingham and Surrey in the UK have revealed a new iPhone flaw that allows attackers to make unauthorized contactless payments by exploiting a weakness in Apple Pay’s Express Transit feature while using a Visa card.
Express Transit (Express Travel in the UK) allows an iPhone user to touch and go to ticket barriers for much faster payments. In other words, it eliminates the need to authenticate using a password, Touch ID, or Face ID when making payments, but it also introduces a weakness that can easily be exploited with relatively radio equipment. inexpensive commercially available.
The researchers explained that all it takes to make an unauthorized contactless payment of £ 1,000 (around $ 1,350) is to program the radio equipment to mimic a ticket barrier system and relay the so-called “Magic bytes” via an Android application to emulate a real contactless transaction. Dr Ioana Boureanu, who is among the researchers who discovered the vulnerability, claims that the dummy payment terminal and Android phone must be near the victim’s iPhone for the exploit to be successful, which becomes painfully easy. in the event of loss or theft. iPhone.
So far, researchers have found no evidence that this security flaw has been exploited in the wild, but lead researcher Dr Andreea Radu believes it is only a matter of time before that malicious actors take advantage of it. Apple was made aware of the problem in October 2020, but the company transferred the responsibility to Visa, which was informed in May 2021. The latter says it is aware of countless variations of contactless fraud schemes developed in the lab. and maintains that the feat is “impractical to perform on a large scale in the real world.”
At the time of writing, neither company is willing to provide a fix. Visa claims you’ll be protected by its zero liability policy, and researchers say they didn’t find the same problem when testing Express Transit with Mastercard. Additionally, by trying the same attack method with Samsung Pay, the researchers found that even though transactions are possible with locked Samsung devices, the transaction value is zero and the approval process is based on a special agreement between the bank and transport providers on the cost of tickets.
For now, if you want to be more secure, you can turn off Express Transit payments. If you are looking for in-depth reading on the subject, you can find the associated research paper here. You can also check out DinoSec’s full list of lock screen bypass issues affecting every major version of iOS since iOS 5.