A combination of design flaws in Apple Pay and Visa could allow hackers to perform contactless payments without the iPhone user needing to unlock their device, researchers have warned.
The experts from the University of Birmingham and University of Surrey found that they were also able to bypass the limit on contactless payment, allowing transactions of any amount.
In an example video using simple radio equipment, the team was able to take a £1,000 payment from a locked iPhone using the Express Travel feature – something that they warn hackers could manage to do with stolen iPhones, or even devices in a bag.
The researchers were able to transfer £1,000 from a locked iPhone. Pic: University of Birmingham
The potential heist is only possible due to a combination of flaws in both Apple Pay and Visa’s systems, and only affects phones that have a Visa card set to make payments in the Express Travel feature.
“It does not for instance… affect Mastercard on Apple Pay or Visa on Samsung Pay,” the researchers said.
“Backend fraud detection checks have not stopped any of our test payments,” they added, although Visa argues that as the test payments took place in laboratory settings, they may not have produced some signals normally used to detect fraud.
The researchers told Sky News they had spent “a year or so” chasing the issues up with Apple and Visa, either of whom could prevent the attack on their own, but that neither have fixed their systems yet.
Their research is set to be published at the 2022 IEEE Symposium on Security and Privacy.
Dr Andreea-Ina Radu, the first author of the study and a lecturer at the University of Birmingham’s school of computer science, explained to Sky News that the issue was caused by a “really nice feature” Apple included for iPhone users travelling on the London Underground or similar networks.
The Express Travel feature means users don’t have to authenticate when using contactless readers to tap in at stations or on buses, for instance by using their fingerprint or Face ID – something that can help prevent long queues.
Researchers have a combination of flaws in Apple Pay and Visa that could enable fraudsters. File pic.
“We’ve found that we can actually abuse this feature,” explained Dr Radu, “so we can actually take a payment from a locked phone to payment terminals that are not TfL (Transport for London) gates.”
“We’ve been in discussion with both Apple and Visa for a year or so… and they seem to be in disagreement on who should actually fix this issue. The bottom line is that the vulnerabilities remain unfixed for the users,” she added.
“I’m genuinely concerned for consumers’ well-being. My advice to them is to make sure they don’t have a Visa card set up with Express Travel.”
Dr Ioana Boureanu, a senior lecturer in secure systems at the University of Surrey and a researcher on this project, added: “The most exploitable version of this is if you steal someone’s iPhone, and they have a Visa card set in Express Travel.
“Before they declare the card or iPhone stolen and turn them off remotely, you could make as many payments as you like using their phone without them having to unlock it.
“If I stole your iPhone and had it on me, I could do this at my ease, but I could do it in maybe a more awkward way in a shop by walking past or standing by you.”
The researchers said: “We recommend users do not use Visa as a transport card in Apple Pay. If your iPhone is lost or stolen, activate the Lost Mode on your iPhone, and call your bank to block your card.”
Visa says it takes all security threats ‘very seriously’
A spokesperson for Visa said: “Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence.
“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.
“Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”
Apple said: “We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.
“In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”