Apple Pay payments can be stolen from your iPhone over the air, and the problem persists because neither Apple nor Visa want to be the only ones to solve it, according to British researchers.
Researchers, from the Universities of Birmingham and Surrey, have shown in a new website and research paper that they can replicate Transport for London contactless card readers using off-the-shelf equipment and steal 1,000 £ (around US $ 1,350) on iPhones using Apple. Pay as long as the payments were tied to a Visa card.
Because of this, a hacker or con artist with the right equipment in a coat pocket could hide in metro stations in major cities and capture Apple Pay transactions from passers-by, then “replay” the transactions in retail stores. worldwide.
Phone thieves could also use this method to extract money from locked iPhones that are always on.
“Perhaps the biggest worry is the loss or theft of a phone,” Ken Munro, director of Pen Test Partners, who was not involved in the research, told the BBC. “The con artist no longer has to worry about being spotted by others as he leads the attack.”
Yet due to a dispute over the failing system, Apple and Visa are apparently pointing the finger at each other.
“Apple Pay users don’t need to be in danger, but until Apple or Visa fixes this problem, they are,” researcher Tom Chothia of the University of Birmingham.
“We take any threat to user safety very seriously,” Apple told Tom’s Guide. “It’s a problem with a Visa system, but Visa doesn’t think this type of fraud is likely to happen in the real world given the multiple layers of security in place.
“In the unlikely event that an unauthorized payment occurs, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy. “
How to protect yourself from this attack
To protect yourself from this kind of attack, do not link a Visa card to Apple Pay’s Express Transit or Express Travel mode, which are explained below.
If your iPhone is stolen or lost, use iCloud to turn off Apple Pay completely remotely. If you believe that fraudulent transactions have been made with your Visa and Apple Pay card, notify your card issuer immediately.
Why this attack can happen
The fault is due to two different things. The first is Apple’s “Express Transit” or “Express Travel” mode, which was introduced with iOS 12.3 in May 2019. It allows Apple Pay transactions without the iPhone owner unlocking the phone screen. , for example when moving quickly in a subway turnstile. The second issue is how Visa handles these payments.
With a MasterCard instead of a Visa linked to the Apple Pay payment, the theft didn’t work, the researchers said. It also didn’t work on Samsung phones using Samsung Pay, which has a similar lock screen transit mode.
According to an Apple support document, Express Transit / Travel is supported on transit systems in London, New York, Beijing, Shanghai, Hong Kong, Los Angeles, Chicago, Washington, DC, Portland, Oregon, San Francisco Bay Area and throughout Finland and Japan.
How the hack works
The researchers set up in several London Underground stations and captured the signals sent between the contactless card readers at the turnstiles and their own iPhones. They then programmed portable Proxmark RFID (Radio Frequency Identification) tools to mimic Transport for London card readers.
The researchers found that the turnstiles broadcast a 15-byte sequence to let iPhones know they were interacting with a transit system. The iPhones then activated Apple Pay upon receipt of these “magic bytes”, despite the iPhones being locked.
After that, an Apple Pay transaction could be completed and processed. The researchers used an Android phone communicating with the Proxmark to act as a card payment system and were able to process the transactions. The attacker’s Android phone does not need to be close to the targeted iPhone.
“It can be on another continent from the iPhone as long as there is an internet connection,” University of Surrey researcher Ioana Boureanu told the BBC.
Payment limit exceeded
However, Express Transit / Travel imposes a fairly low limit on the amount that can be charged. But the researchers found that they only needed to change two bits in the transmission between the Proxmark and the card payment system to override this limit.
Visa told researchers that “if this attack were to trigger fraud alerts … it would ultimately be stopped,” according to the research paper. “We have carried out our attack several times, on large securities, from the same card, and we have never been blocked and reported for fraud.”
Visa proposed a countermeasure to stop the attack, the researchers said, but added that it could easily be circumvented. Instead, the researchers propose that Visa or Apple implement a variant of the method used by MasterCard to successfully block these attacks.
The researchers say they informed Apple of the vulnerability in October 2020 and Visa in May 2021. Each company, according to the researchers, continues to blame the other, although the researchers point out on their website that “either Apple or Visa could mitigate this attack on theirs. “
“Apple suggested that the best solution was for Visa to implement additional fraud detection checks,” the research paper states. “Meanwhile, Visa observed that the issue only applied to Apple (i.e. not Samsung Pay), so suggested that a fix be made to Apple Pay.”
Further, the research paper adds, “Apple did not pay a bounty for bugs, even though they advertise $ 100,000 for bypassing a lock screen, and our attack bypasses Apple Pay’s lock screen. .
“Contactless fraud schemes have been studied in the lab for over a decade and have proven impractical to perform on a large scale in the real world,” Visa told the BBC and ZDNet.
Needless to say, researchers who discovered this flaw almost a year ago are frustrated.
“Our work shows a clear example of a feature, intended to gradually make life easier, turning around and having a negative impact on security, with potentially serious financial consequences for users,” researcher Andreea-Ina told ZDNet. Radu from the University of Birmingham.
“Our discussions with Apple and Visa revealed that when two parts of the industry each have partial responsibility, neither is willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”
The researchers, who besides Boureanu, Chothia and Radu, include Liqun Chen and Christopher JP Newton from the University of Surrey, plan to officially present their findings at the IEEE Security and Privacy Symposium in May 2022 in Oakland, California.
Similar findings by Timur Yunusov and Leigh Galloway will be presented at Black Hat Europe in November 2021.