Researchers from the University of Birmingham and University of Surrey have warned that they were also able to bypass the limit on contactless payment, allowing transactions of any amount.
Large unauthorised contactless payments can be made on locked iPhones by exploiting how an Apple Pay feature designed to help commuters pay quickly at ticket barriers works with Visa.
In a video, researchers demonstrated making a contactless Visa payment of £1,000 from a locked iPhone. Apple, predictably, said the matter was “a concern with a Visa system”.
In the example video using simple radio equipment, the team was able to take a £1,000 payment from a locked iPhone using the Express Travel feature – something that they warn hackers could manage to do with stolen iPhones, or even devices in a bag.
The potential heist is only possible due to a combination of flaws in both Apple Pay and Visa’s systems, and only affects phones that have a Visa card set to make payments in the Express Travel feature.
How the attack is performed
In demonstrating the attack, the scientists only took money from their own accounts.
In very simple terms – and with many key details deliberately omitted- the attack works like this:
- A small commercially available piece of radio equipment is placed near the the iPhone, which tricks it into believing it is dealing with a ticket barrier
- At the same time an Android phone running an application developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal – this could be in a shop or one the criminals control
- Because the iPhone thinks it is paying a ticket barrier, it doesn’t need to be unlocked
- Meanwhile the iPhone’s communications with the payment terminal are modified to fool it into thinking the iPhone has been unlocked and a payment authorised – allowing high value transactions to be made without entering a PIN, fingerprint or using Face ID
Visa’s view was that this type of attack was “impractical”.
It told the BBC that it took all security threats seriously, but “Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence.
“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world”.
The post UK researchers find hacking flaw in Apple Pay with Visa cards appeared first on Payments Cards & Mobile.