Large unauthorised contactless payments can be made on locked iPhones by exploiting how an Apple Pay feature designed to help commuters pay quickly at ticket barriers works with Visa.
Researchers demonstrated making a £1,000 contactless Visa payment from a locked iPhone in a video.
Apple stated that the issue was “a concern with a Visa system.”
Visa stated that payments were secure and that such attacks were impractical outside of a lab.
The problem, researchers say, applies to Visa cards set up in ‘Express Transit‘ mode in an iPhone’s wallet.
“Express Transit” is an Apple Pay feature that allows commuters to make quick contactless payments without having to unlock their phone, such as touching-in and touching-out at a London Underground ticket barrier.
Researchers from the Computer Science departments of Birmingham and Surrey Universities discovered how to exploit a flaw in how Visa systems work with this feature.
In demonstrating the attack, the scientists only took money from their own accounts.
In very simple terms – and with many key details deliberately omitted- the attack works like this:
- a small commercially available piece of radio equipment is placed near the the iPhone, which tricks it into believing it is dealing with a ticket barrier
- at the same time an Android phone running an application developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal – this could be in a shop or one the criminals control
- because the iPhone thinks it is paying a ticket barrier, it doesn’t need to be unlocked
- meanwhile the iPhone’s communications with the payment terminal are modified to fool it into thinking the iPhone has been unlocked and a payment authorised – allowing high value transactions to be made without entering a PIN, fingerprint or using Face ID
Researchers were able to make a £1,000 Visa payment in a demonstration video seen by the BBC without unlocking the phone or authorising the payment.
According to the researchers, the Android phone and payment terminal used do not need to be close to the victim’s iPhone.
“As long as there’s an internet connection, it can be on another continent from the iPhone,” said Dr Ioana Boureanu of the University of Surrey.
So far, the researchers have only demonstrated the attack in the “lab,” and there is no evidence that criminals are currently using the hack.
Ken Munro, a security researcher with Pen Test Partners who was not involved in the study, told the BBC that it was a “really innovative piece of research” that needed to be fixed right away.
He described the attack as being similar to having a contactless credit card terminal tapped against your wallet or purse.
But this attack was more insidious, he said, because it no longer required the card terminal, only a small box of electronics that could relay the fraudulent transaction elsewhere.
“Perhaps the most significant concern is a lost or stolen phone.” The crook no longer has to be concerned about being seen by others while carrying out the attack.”
The attack may also be easiest to deploy against a stolen iPhone, according to the university researchers.
According to the researchers, they approached Apple and Visa with their concerns almost a year ago, and while there have been “useful” conversations, the problem has not been resolved.
According to Visa, this type of attack was “impractical.”
It told the BBC that while it takes all security threats seriously, “Visa cards linked to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence.”
“For more than a decade, variations of contactless fraud schemes have been studied in laboratory settings and have proven to be impractical to execute at scale in the real world.”
It is possible that Visa’s fraud detection systems would detect and block unusual spending patterns, though the researchers did not encounter this issue in their lab tests.
There’s also the issue of getting close to a victim’s phone.
Anyone who believes they have misplaced their phone can use Apple’s iCloud to disable Apple Pay or wipe the device, as well as alert Visa and block payments.
“We take any threat to users’ security very seriously,” Apple told the BBC. This is a concern with a Visa system, but Visa believes that given the multiple layers of security in place, this type of fraud is unlikely to occur in the real world.”
“In the unlikely event that an unauthorised payment occurs, Visa has stated unequivocally that their cardholders are protected by Visa’s zero liability policy.”
However, Dr. Andreea Radu of the University of Birmingham, who led the research, told the BBC that complex attacks developed in the lab can be used by criminals.
“It has some technical complexity – but I feel the rewards from carrying out the attack are quite high,” she said, adding that if left unaddressed, “in a few years these could become a real issue.”
Dr. Tom Chothia, also of the University of Birmingham, suggested that iPhone owners check to see if they have a Visa card set up for transit payments and, if so, disable it.
“There is no reason for Apple Pay users to be in danger, but they are until Apple or Visa fix this,” he said.
The researchers also tested Samsung Pay, but discovered that it could not be used in this manner.
They also tried Mastercard, but the way its security works prevented the attack.
Dr Ioana Boureanu of the University of Surrey, a co-author, stated that this demonstrated that systems could be “both usable and secure.”
The findings will be presented at the IEEE Symposium on Security and Privacy in 2022.