Researchers discover security flaw with Apple Pay and Visa

30 Sep 2021

Image: © Denys Prykhodov/Stock.adobe.com

The team of security experts found a way to steal £1,000 from an iPhone without needing to unlock it, exposing ‘serious’ contactless payment risks.

A team of researchers in the UK have found a way to extract money from a locked iPhone’s Visa account on Apple Pay by exploiting loopholes in the contactless payment technology.

In a video, researchers demonstrated how criminals could steal £1,000 from an iPhone using a small, commercially available radio device and an app running on an Android phone.

The joint study by the University of Birmingham and University of Surrey said that the vulnerability occurs when Visa cards are in Express Transit Mode – used by commuters to pay on public transport without unlocking their phones – in an iPhone’s wallet.

Researchers said that the vulnerability only affects Apple Pay accounts running Visa cards and does not apply to Visa on Samsung phones or Mastercard on any phone.

“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” lead researcher Dr Andreea Radu of the University of Birmingham said.

BBC News reports Apple said the matter was “a concern with a Visa system” while Visa dismissed the attack demonstration as impractical outside labs.

“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely,” added Radu.

How does it work?

It may be hard to replicate lab conditions in a busy commuter transport environment, but the research highlights serious security concerns for stolen iPhones because the hack does not require owners to unlock the phone using passwords, fingerprints or Face ID.

Relay attackers, or criminals who can transfer funds from cards to readers without the owner’s knowledge, use a unique code nicknamed ‘magic bytes’ on a radio device to trick the iPhone into thinking it is a Europay, Mastercard and Visa (EMV) reader and unlock the phone.

The attacker can then use the same codes to exploit vulnerabilities in the Visa-Apple Pay combination and pretend to be a transit gate. At the same time, the attacker tricks a shop reader into thinking the iPhone has been authorised by the user to proceed with the transaction.

This makes it possible for the criminal to take any given amount of funds from the locked iPhone without the user’s knowledge. Researchers said that the shop reader does not need to be near the iPhone and can be operated remotely – from anywhere in the world.

Co-author Dr Ioana Boureanu, from the University of Surrey’s Centre for Cyber Security, said that the team found other payment services such as Samsung Pay to be safe to use even when this hack is employed.

“Apple Pay users should not have to trade-off security for usability, but – at the moment – some of them do.”

Apple Pay arrived in Ireland in 2017 and was recently made available to Bank of Ireland customers. Earlier this month, Apple issued an urgent security patch update for all devices to protect them from an exploit by Pegasus spyware.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Vish Gain was a journalist with Silicon Republic

editorial@siliconrepublic.com