A new Apple Pay flaw allows hackers to steal money from your locked iPhone

nanoguy

Posts: 1,184   +20
Staff member
Why it matters: Everyone loves the convenience of contactless payments, especially when you are in a hurry. However, this convenience often comes at the cost of reduced security. It turns out that a combination of flaws in both Apple Pay and Visa's system can allow a hacker to make unauthorized payments using only a stolen, powered on iPhone.

A group of researchers at the Birmingham and Surrey Universities in the UK have revealed a new iPhone flaw that allows attackers to perform unauthorized contactless payments by exploiting a weakness in Apple Pay's Express Transit feature while using a Visa card.

Express Transit (Express Travel in the UK) allows an iPhone user to tap-and-go at ticket barriers for much quicker payments. In other words, it eliminates the need to authenticate using either a passcode, Touch ID, or Face ID when making payments, but this also introduces a weakness that can easily be exploited with a relatively inexpensive piece of commercially available radio equipment.

The researchers explained that all it takes to make an unauthorized contactless payment of £1,000 (around $1,350) is to program the radio equipment to mimic a ticket barrier system and relay so-called "Magic Bytes" through an Android app in order to emulate a real contactless transaction. Dr. Ioana Boureanu, who is one of the researchers who discovered the vulnerability, says the dummy payment terminal and Android phone need to be near the victim's iPhone for the exploit to be successful, which becomes painfully easy in the case of a lost or stolen iPhone.

So far, the researchers haven't found any evidence that this security flaw has been exploited in the wild, but lead researcher Dr. Andreea Radu believes it's only a matter of time before malicious actors will take advantage of it. Apple was notified about the issue in October 2020, but the company passed the responsibility to Visa, who was notified in May 2021. The latter says it's familiar with countless variations of contactless fraud schemes developed in the lab and maintains the exploit is "impractical to execute at scale in the real world."

As of writing, neither company is willing to provide a fix. Visa claims you'll be protected under its zero liability policy, and the researchers say they haven't found the same issue when testing Express Transit with Mastercard. Additionally, when trying the same attack method with Samsung Pay, the researchers found that while transactions are possible with locked Samsung devices, the transaction value is zero and the approval process is based on a special arrangement between the bank and the transport providers on the exact cost of the tickets.

For now, if you want to be extra safe, you can disable Express Transit payments. If you're looking for an in-depth read on the matter, you can find the associated research paper here. You can also check DinoSec's extensive list of lock screen bypass issues affecting each major iOS version since iOS 5.

Permalink to story.

 

Squid Surprise

Posts: 5,321   +4,968
One of the main reasons I use a credit card is that any purchase I didn't actually make is easily refunded... When you get your statement, any payments that were fraudulent are simply a phone call away from being refunded - and since you don't pay your credit card bill until after you get your statement, the only ones suffering from this vulnerability would be Visa!

If Visa doesn't want to fix it, then they clearly don't think it's a real problem.
 

DZillaXx

Posts: 487   +621
Only if you are dumb enough to use phones as payment methods ...

I would happy move to using my Smart Phone for Purchases. But having 3+ different methods to do so, all of which is mostly hacked together.

A standardized payment system backend is what is really need. Apple Pay vs Samsung Pay vs Google Pay, these should be nothing more than front ends to a standardized payment processing system. At the same the hardware at the POS system needs to be updated to support such changes. As as we've seen just with the chip, it is a slow process.
 

brucek

Posts: 1,107   +1,643
Before there were phones, there were wallets and cash. This still sounds much safer. Although the bigger liability remains having the phone stolen for the value of the phone itself. Not many bought $1,000 wallets but plenty of people buying $1,000 phones.
 

maxxcool7421

Posts: 115   +190
I would happy move to using my Smart Phone for Purchases. But having 3+ different methods to do so, all of which is mostly hacked together.

A standardized payment system backend is what is really need. Apple Pay vs Samsung Pay vs Google Pay, these should be nothing more than front ends to a standardized payment processing system. At the same the hardware at the POS system needs to be updated to support such changes. As as we've seen just with the chip, it is a slow process.

Yeah agree it is getting there.. but imo using NFC as a pay method just seems fraught with to many exploit surfaces.

Driver flaws on the phone, driver flaws on the PoS, Hardware flaws on the phone and again on the PoS, Protocol flaws, aging encryption standards ... hard pass for now.

Then again scraping memory for CC#s has also proven super profitable with POS systems rarely getting updates, poor network segmentation etc .. So swipes are also still easy to exploit. :p

I'm old and grumpy ignore me :D
 

Irata

Posts: 2,044   +3,474
One of the main reasons I use a credit card is that any purchase I didn't actually make is easily refunded... When you get your statement, any payments that were fraudulent are simply a phone call away from being refunded - and since you don't pay your credit card bill until after you get your statement, the only ones suffering from this vulnerability would be Visa!

If Visa doesn't want to fix it, then they clearly don't think it's a real problem.

This is a definitive advantage of credit card payments vs using PayPal which I unfortunately discovered with PP.

As for the one suffering: No, that wouldn‘t be Visa but rather the card issuer (the bank you received the card from). Visa / MC aren‘t liable for anything - it‘s always either the merchant / acquirer or issuer.