Apple Pay’s unpatched flaw can make payments through locked iPhones
Researchers have identified a flaw in Apple Pay that can be abused by attackers to make unauthorized Visa payments through locked iPhones. This can be done by the Express Travel mode in the device’s wallet.
An academics group from the University of Birmingham and the University of Surrey stated that the threat attacker just needs a stolen iPhone that is powered on. The transactions can also be transmitted from an iPhone inside someone’s bag, without them knowing. For this purpose, the attacker doesn’t need help from the merchant. Along with this, the group also highlighted that backend fraud detection checks did not stop any payments when tested.
Express Travel is a feature enabled in iPhone and Apple Watch, allowing users to make immediate contactless payments for public transit without unlocking the device, opening an app, or even validating with checks such as Face ID, Touch ID or a passcode. This attack was made possible due to flaws in both Apple Pay and Visa’s system.
This is done by imitating a transit gate transaction by using a Proxmark device. It acts as an EMV card reader interacting with a target’s iPhone and an Android app which is NFC-enabled that operates as a card emulator to transmit signals to a payment terminal.
Apple and Visa were notified of the vulnerability in October last year and May this year, respectively, according to the researchers. They further stated that both parties recognize the critical nature of the vulnerability, but they have not come to an agreement on who will implement a fix for the flaw.
Visa labelled this typed of vulnerability impractical. It further added that alternatives of contactless fraud schemes are being examined in laboratories settings for a long time now, but these have proven to be impractical to implement at scale in real-world scenarios.
Apple representative said that this concern is related to a Visa System, but Visa does not believe in the application of such a fraud in the real world, claiming that multiple layers of security are enough to combat such issues.