Security researchers discovered that someone could make fraudulent payments worth thousands of dollars using a locked iPhone without authentication.
The researchers from the Universities of Birmingham and Surrey and the U.K National Cyber Security Centre (NCSC) said that the risk originates from an unpatched vulnerability in Apple Pay and Visa credit or debit card combinations.
According to the researchers, the attack can only happen with an iPhone with a saved Visa card set with the Apple Pay Express Transit mode.
This configuration allows iPhone users to pay using the tap-and-go option on transit gates.
The researchers noted that attackers do not need authentication and can use any powered-on iPhone, which could be exploited right inside someone’s bag.
Apple and Visa trade accusations over payment fraud vulnerability
The researchers noted that the payment fraud vulnerability was a product of a vulnerability on both Apple Pay and Visa systems that none of the companies took responsibility for.
Apple was informed of the flaw in October 2020 while Visa became aware of the bug in May 2021.
However, Apple shifted the blame to Visa claiming that Visa does not acknowledge the flaw and had assured its users of “multiple layers of security” and protection through “Visa’s zero-liability policy.”
“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely,” the researchers lamented.
Visa downplays the risk of Apple Pay payment fraud
Visa claimed that the possibility of the payment fraud scenario involving a locked iPhone and its debit or credit card was unlikely. The company reiterated that its debit and credit cards linked to Apple Pay Express Transit mode were safe to use. They also downplayed academic payment fraud scenarios simulated in lab settings.
“Variations of contactless-fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world,” Visa told the BBC.
The payment processor added that its systems would detect unusual spending patterns and prevent payment fraud from succeeding. However, this form of payment fraud prevention is unreliable and reactionary after fraud has already occurred.
Additionally, the researchers noted that Visa fraud detection systems had failed to prevent their test fraudulent payment simulation. As a proof of concept, the researchers made a payment of £1,000 using a locked iPhone on Europay, Mastercard, and Visa (EMV) terminals.
The researchers advised Apple Pay users to avoid using Visa cards with Express mode. Similarly, users should secure their devices by remotely wiping lost iPhones.
Triggering the Man-in-the-Middle attack
The researchers noted that the Visa Apple Pay Express Transit mode vulnerability was a man-in-the-middle (MitM) relay attack.
According to the researchers, transit gates transmitted a unique code called “magic bytes” that unlocks an iPhone and could be replicated using a piece of simple radio equipment. An attacker could intercept and modify this signal to fool an iPhone into believing it was communicating with a real transit gate.
They could also fool the payment terminal into believing that the iPhone had completed authorization to allow payment of any amount. The researchers achieved this using an application running on an Android phone.
The payment fraud vulnerability only affects Visa on Apple Pay in Express Transit mode and does not affect other payment cards, systems or combinations.
However, the researchers pointed out that risk was unwarranted and Visa – Apple Pay customers should not sacrifice security for usability.
“We show how a usability feature in contactless mobile payments can lower security,” University of Surrey’s Centre for Cyber Security researcher Dr. Ioana Boureanu said. “But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure. Apple Pay users should not have to trade-off security for usability, but – at the moment – some of them do.”