Apple Pay, Visa Exploit Allows Unauthorized Payments From a Locked iPhone

Apple Pay, Visa Exploit Allows Unauthorized Payments From a Locked iPhone

Contactless payments may be convenient, but they are also open to serious abuse, according to UK security researchers.

As the BBC reports(Opens in a new window), researchers from the computer science departments of Birmingham and Surrey Universities(Opens in a new window) managed to take advantage of the way in which the Express Transit feature of Apple Pay works, but the flaw actually exists in the way Visa’s payment system functions.

Express Transit allows contactless payments to be made quickly when passing through ticket barriers found at locations such as the London Underground or New York’s subway stations. It doesn’t require Face ID, Touch ID, or a passcode to be entered into an iPhone before the transaction is allowed to happen, which also means the iPhone can remain locked.

The researchers used a “small commercially available piece of radio equipment,” which when placed next to an iPhone acts just like a ticket barrier. An Android phone is then used to run an app to relay signals from the iPhone to a contactless payment terminal. At the same time, the communications are being modified, tricking the iPhone into thinking it’s both unlocked and that the requested payment has been authorized.

Contacless payment using an iPhone

(Photo: Artur Debat/Getty Images)

The end result is the researchers successfully completed a payment of $1,350 using a locked iPhone. The security problem is made worse by the fact it can be set up to work remotely, only requiring an internet connection for the transactions to be triggered and collected. All a criminal would need to do is hide a “small box of electronics” near to where their victims are (similar to how card skimmers are used so effectively).

This has implications for contactless payment system security, but also for stolen and locked iPhones, which can effectively be used to transfer large amounts of money using a “relay attack.”

Visa tells the BBC report that this type of attack is “impractical,” and that “Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence … Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.”

Recommended by Our Editors

Apple also responded to the BBC, stating: “We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place … In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”

The researchers don’t agree that this is an impractical threat and believe it could become a real issue within a few years. They also believe it could be fixed if Visa and Apple are willing to carry out the required work. In the meantime, the advice given by the research team is for iPhone owners to disable Express Transit payments. As for their research, it will be presented at the 2022 IEEE Symposium on Security and Privacy(Opens in a new window) next year.

PCMag Logo How to Carry Your Vaccination Card on Your Phone

Apple Fan?

Sign up for our Weekly Apple Brief for the latest news, reviews, tips, and more delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Source By https://www.pcmag.com/news/apple-pay-visa-exploit-allows-unauthorized-payments-from-a-locked-iphone