Apple Pay contactless exploit allows unauthorised payments from Visa cards
Researchers have found an exploit on iPhones where large unauthorised contactless payments can be made via its integration with Visa.
The exploit affects Visa cards set up in the iPhone’s “express transit” mode. The mode is designed to enable commuters to make contactless payments without unlocking their phone.
Researchers from the Universities of Birmingham and Surrey have discovered payments of up to £1,000 can be made via interference from radio equipment.
An Android phone running an application can use the radio equipment to trick an iPhone into thinking a false payment terminal is a ticket barrier.
As the iPhone initiates the payments, a separate modification tricks the device into believing it has been unlocked and the payment is fully authorised, allowing larger transfers.
The researchers say the Android phone and payment terminal used don’t need to be near the victim’s iPhone.
Dr Ioana Boureanu, of the University of Surrey, says the terminals could be “on another continent from the iPhone” as long as an internet connection exists.
According to the researchers, who have only tested the exploit in lab conditions, they approached Visa and Apple about the problem in late 2020.
Apple spokespeople stated the issue lay with Visa’s system. For its part, Visa has emphasised the security of its platform and the lack of real-world testing.
“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world,” a spokeswoman said.
Dr Andreea Radu of the University of Birmingham says their work shows “a clear example of a feature […] backfiring and negatively impacting security”.
“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”
Report co-author Dr Tom Chothia adds: “iPhone owners should check if they have a Visa card set up for transit payments, and if so, they should disable it.
“There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are.”