Visa card holders using Apple Pay warned of payment exploit that bypasses user authentication

Commuters are being urged to disable Apple Pay express transit mode for Visa cards

Apple Pay users who have a Visa card tied to their account are vulnerable to a flaw that could let hackers secretly steal cash without their knowledge.

Research funded by the National Cyber Security Centre (NCSC) found that a combination of flaws in the Apple Pay and Visa systems make it possible for a Visa payment card to be charged without the owner’s consent if it’s set to Apple’s express transit mode.

The feature, which was introduced to iPhones in May 2019, allows users to pay for travel at ticketing barriers without having to unlock the phone, in order to make the payment as fast as possible and avoid creating queues.

However, an experiment conducted by the Universities of Birmingham and Surrey found threat actors are able to exploit a flaw to bypass the Apple Pay lock screen and charge the connected card, in some cases up to £1,000 per transaction, without user authorisation. The owner doesn’t have to leave the device unattended or have it stolen – thieves can also exploit the flaw through a bag or coat, thanks to contactless payment technology.

In a demonstration of the exploit, researchers used an iPhone, an NFC-enabled Android phone, a standard EMV reader payment terminal, and a laptop connected to a Proxmark radio-frequency identification (RFID) scanner.

The Android phone is used as a card emulator to communicate with a payment terminal. Meanwhile, the Proxmark device, connected to a laptop, acts as a reader emulator to communicate with the potential victim’s iPhone, which is led to act as if the transaction is happening with a legitimate transport EMV reader.

Researchers first set up a payment for £1,000 on the payment terminal and ran a script on the laptop to alert the Proxmark RFID scanner to receive the transaction, which then passes it to the payment terminal. Meanwhile, the flaw also manipulates the payment terminal to believe that the victim had authorised the transaction by biometric or PIN verification, enabling the transaction to take place.

The lead researcher behind the experiment, Dr Andreea Radu from the School of Computer Science at the University of Birmingham, said that the flaw can have “serious financial consequences for users”.

Although Visa and Apple had been notified of the issue, neither have taken responsibility for the flaw, meaning that it remains exploitable. The researchers state that both Apple and Visa have the capability to mitigate this attack on their own.

“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely,” said Radu.

Co-author Dr Ioana Boureanu, from the University of Surrey’s Centre for Cyber Security, said that Apple Pay users “should not have to trade-off security for usability, but – at the moment – some of them do”.

“We show how a usability feature in contactless mobile payments can lower security. But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure,” she added.

Related Resource

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Whitepaper front coverFree Download

The attack is only possible due to the unique combination of flaws across both Apple Pay and Visa’s systems, which means that those using Mastercard on Apple Pay, or Visa on Samsung Pay, are not at risk.

Dr Tom Chothia, from the School of Computer Science at the University of Birmingham and co-author of the report, advised iPhone owners to “check if they have a Visa card set up for transit payments, and if so they should disable it”.

“There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are,” he warned.

Videos showing the exploit in action can be found here.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Bridging the DevSecOps divide: Spotlight on key relationships
Whitepaper

Bridging the DevSecOps divide: Spotlight on key relationships

3 Dec 2021
Planned Parenthood cyber attack exposes data of 400,000 patients
cyber attacks

Planned Parenthood cyber attack exposes data of 400,000 patients

3 Dec 2021
Bridging the DevSecOps divide: Spotlight on zero trust
Whitepaper

Bridging the DevSecOps divide: Spotlight on zero trust

3 Dec 2021
Bridging the developer and security divide
Whitepaper

Bridging the developer and security divide

3 Dec 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
What is single sign-on (SSO)?
single sign-on (SSO)

What is single sign-on (SSO)?

2 Dec 2021