Many iPhone users are vulnerable to payment fraud due to vulnerabilities in Apple Pay and Visa, according to new research from the University of Birmingham and the University of Surrey.
The experts revealed they could bypass an iPhone’s Apple Pay lock screen to perform contactless payments when the Visa card is set up in ‘Express Transit mode’ in an iPhone’s wallet. Transit mode allows users to make a quick contactless mobile payment without fingerprint or facial recognition authentication, for example, at an underground station turnstile.
The team used simple radio equipment to uncover a unique code broadcast by the transit gates, or turnstiles, which unlocks Apple Pay. This code, dubbed ‘magic bytes,’ was used to interfere with the signals going between the iPhone and a shop card reader. The researchers could then trick the iPhone into believing it was interacting with a transit gate rather than a shop card reader by broadcasting the magic bytes and changing other fields in the protocol.
Therefore, this weakness could potentially be exploited by hackers to make transactions from an iPhone inside someone’s bag without their knowledge.
The technique even enabled the experts to bypass the contactless limit, enabling any amount to be taken without the iPhone user’s knowledge. This is because the shop reader believed the iPhone had successfully completed its user authorization.
The researchers emphasized that the vulnerability only applies to Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones.
Dr Andreea Radu, lecturer at the School of Computer Science, University of Birmingham, commented: “Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users.
“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”
Co-author Dr Tom Chothia, also from the School of Computer Science at the University of Birmingham, added: “iPhone owners should check if they have a Visa card set up for transit payments, and if so they should disable it. There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are.”
Responding to the findings, Brian Higgins, security specialist at Comparitech said Apple Pay and Visa users should consider switching service providers. "This kind of exploit is reminiscent of war-driving near-field-communication antenna data from contactless payment cards when they first became popular. Back then, it was almost impossible to attribute the raw data to an individual cardholder, so nobody was all that bothered.
“Now it’s possible to extract payments immediately with the right kind of equipment it’s rather unfortunate that neither Apple nor Visa are particularly bothered by the threat to their paying customers and, as is so often the case, it is left to the individual consumer to protect themselves. The research identifies plenty of service providers who have redundancies already built in to prevent this crime. The best advice would be to switch to one of those as soon as you can."