Researchers urged iPhone users to remove Visa as a transit card through Apple Pay after discovering a loophole that fraudsters could use to bypass security and make unlimited contactless payments.
Experts from the University of Birmingham and the University of Surrey have warned that the issue could be exploited to transact from an iPhone in someone’s bag without their knowledge.
They claim the vulnerability only occurs on Apple Pay when a Visa card is set up as an Express Travel Card, also known as Express Transit Mode – a feature intended for owners to access and exit. public transport without having to unlock their phone.
Using simple radio equipment, the team managed to trick the iPhone into believing it was communicating with a transit door when it was in fact a payment reader used by stores, known among cyber experts as a “man-in-the-middle” attack.
Apple Pay users don’t need to be in danger, but until Apple or Visa fixes this issue, they are.
This was done by identifying a unique code broadcast by transit gates or turnstiles, which was then used to interfere with signals between the iPhone and a store card reader.
âIPhone owners should check to see if they have a Visa card set up for in-transit payments and, if so, deactivate it,â said study co-author Dr Tom Chothia of the ‘University of Birmingham.
“Apple Pay users don’t need to be at risk, but until Apple or Visa fixes this, they are.”
The upstream fraud detection checks also did not make it possible to stop the payments in progress during the tests carried out by the group.
Researchers said they shared details of the issue with Apple and Visa, saying the two companies acknowledged the severity of the vulnerability but failed to come to an agreement on who should implement a fix.
Visa responded by saying that its cards are secure with this feature and that cardholders should continue to use them “with confidence.”
“Variants of contactless fraud schemes have been studied in the laboratory for over a decade and have proven impractical to perform on a large scale in the real world,” said a spokesperson.
âVisa takes all security threats very seriously and we work tirelessly to strengthen payment security across the ecosystem. “
An Apple spokesperson said, âWe take any threat to user safety very seriously. It’s a problem with a Visa system, but Visa doesn’t think this type of fraud is likely to happen in the real world given the multiple layers of security in place.
âIn the unlikely event that an unauthorized payment occurs, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy. “
Our discussions with Apple and Visa revealed that when two parts of the industry each have partial responsibility, neither is willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.
“Our work shows a clear example of a feature, intended to gradually make life easier, turning around and having a negative impact on safety, with potentially serious financial consequences for users,” said Dr Andreea Radu of the University of Birmingham, who led the study.
“Our discussions with Apple and Visa revealed that when two parts of the industry each have partial responsibility, neither is willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”
The weakness does not affect other combinations, such as Mastercard in iPhones or Visa on Samsung Pay.
The full results of the study will be presented in an article at the IEEE 2022 Security and Privacy Symposium.
Co-author Dr Ioana Boureanu, University of Surrey, added: âWe show how a usability feature in mobile contactless payments can reduce security.
âBut we have also discovered contactless mobile payment models, such as Samsung Pay, which are both usable and secure.
“Apple Pay users shouldn’t have to sacrifice security for usability, but right now some of them are.”