New security research claims a flaw in Apple’s Express Transit Apple Pay mode can be used to make unauthorized Visa card payments and bypass the contactless limit.
Researchers from the computer science departments at Birmingham and Surrey Universities in the UK have published their findings on how an active Man-in-the-Middle replay and relay attack could be used to bypass the screen of Apple Pay lock for any iPhone with a Visa card set up in transit mode. The paper specifies:
Apple Pay lock screen can be bypassed for any iPhone with Visa card set up in transit mode. The contactless limit can also be bypassed, allowing unlimited EMV contactless transactions from a locked iPhone. An attacker only needs a stolen and turned on iPhone. Transactions could also be relayed from an iPhone in someone’s bag without their knowledge. The attacker doesn’t need any help from the merchant, and the background fraud detection checks haven’t stopped any of our test payments.
The researchers even have their own video of a £ 1,000 payment taken from a locked iPhone using a standard EMV player you can find at any store on Main Street. Researchers say the attack “is made possible by a combination of loopholes in the Apple Pay and Visa system”, so it wouldn’t work with another card like Mastercard, or with Visa on another platform like Samsung or Google Play.
VPN offers: lifetime license for $ 16, monthly plans for $ 1 and more
Researchers say Apple or Visa “could mitigate this attack on their own,” but after presenting the information “months ago,” they say neither fixed the system and the vulnerability remains active. In fact, the research recommends “that all iPhone users verify that they don’t have a Visa card set up in transit mode, and if they do, they should deactivate it.”
According to the BBC, Apple says the problem lies with Visa and that it is “a problem with the Visa system”. He further stated:
“We take any threat to user safety very seriously. This is a problem with a Visa system, but Visa does not believe this type of fraud is likely to occur in the real world given the multiple layers of security in place ”.
“In the unlikely event that an unauthorized payment occurs, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”
Visa reportedly said the type of attack detailed by the research was “impractical” and that “Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence.” He further stated that “variants of contactless fraud schemes have been studied in the laboratory for over a decade and have proven impractical to perform on a large scale in the real world.”
One of the researchers, Dr Andreea Radu, told the outlet that although the attack has a high degree of technical complexity, “the rewards of the attack are quite high” and could become a real problem in a few years if they are not resolved.