A team of academics figured out a way to trick the combination of Apple Pay and Visa cards into silently authorizing massive payments. Even though the iPhones the researchers tested were locked during the transactions they were able to pilfer £1,000 (about $1340).
How did they do it? By tricking the iPhones into thinking they were passing through a ticketed gate, like at a subway or train station.
Being able to make payments with a locked iPhone is not a bug, it’s a feature. Apple calls it Express Transit and you have to enable it on any card that you want to be able to utilize in these walk-by payment scenarios. Ultimately, it’s no different than paying with a loadable, contactless transit card.
The researchers used a Proxmark, a ubiquitous RFID tool that enables everything from payments to door access. In the research setup, the Proxmark was connected to a an Android phone that acted as a payment card emulator. That Android phone then relayed transaction information to a payment terminal.
Tricking a locked iPhone into authorizing transactions are just a few dollars might not seem like a big deal, but the research team managed to push things much further.
But the Android phone doesn’t just receive and transmit payment information from the victim iPhone. It can also modify that information. That allowed the researchers to push far beyond the normal dollar amount limit imposed by Express Transit.
You can see the attack demonstrated in the researchers’ Gitlab post. It might not look sensational, but in less than 30 seconds the researchers are able to steal over $1,300 from a locked iPhone.
The researchers tested other phone and card combinations, but only the Apple Pay and Visa pairing was vulnerable. Mastercard performs additional time-of-purchase checks that thwarted their attack. The same Visa cards used with Samsung Pay also fended off the attempted theft.
Both Apple and Visa have been notified about this attack — Apple in October 2020 and Visa in May of 2021. Unfortunately, the attack still works. The researchers believe that the two sides can’t come to an agreement on who should fix the vulnerability.
In a statement to BleepingComputer, Visa stated that “Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”
Still, there are plenty of very real situations in which an attacker could pull this off. They range from finding a lost iPhone or stealing one, or even by standing in close proximity to one that’s in someone’s pocket or purse — say, while riding on a train or bus.
So how can you protect yourself? The research team advises iPhone owners to avoid using a Visa card with Express Transit until the situation is resolved.
As your business grows, safeguarding the applications and systems it relies on involves a unique approach that balances accessibility with cybersecurity. At Raptor IT Consultants, our mission is to establish a foundation for your network resources that empowers users to work efficiently, while offering scalable, managed IT services that complement any business model; affordably. #raptoritnetwork