Apple Pay payments can be stolen wirelessly from your iPhone, and the problem still exists because neither Apple nor Visa wants to solve it, say British researchers
In a new website and research paper, researchers from the University of Birmingham and the University of Surrey duplicate Transport for London's contactless card readers using off-the-shelf equipment, and as long as the payment is associated with a Visa card, you can use Apple Pay from your iPhone to pay 1,000 We showed that it is possible to steal £1,000 (approximately US$1,350)
This allowed hackers and crooks with the appropriate device in their coat pockets to lurk in metropolitan subway stations, capture Apple Pay transactions from passersby, and "replay" the transactions at retail stores around the world
Phone thieves could also use this method to withdraw money from locked iPhones that are kept turned on
"Perhaps the most worrisome thing is what happens if it gets lost or stolen," Ken Munroe, head of Pen Test Partners, who was not involved in the study, told the BBC
"Fraudsters no longer have to worry about being found by others when carrying out their attacks"However, Apple and Visa seem to be pointing fingers at each other in a dispute over whose system is at fault
"Apple Pay users don't need to be at risk, but they will be until Apple and Visa fix this," University of Birmingham researcher Tom Chotia told the BBC
"We take any threat to user security very seriously," Apple told Tom's Guide 'While this is a concern in Visa's system, Visa believes it is unlikely that this type of fraud would take place in the real world, given the multiple layers of security in place' [In the unlikely event of an unauthorized payment, Visa makes it clear that cardholders are protected by Visa's zero liability policy
The best way to protect yourself from this type of attack is to not tie your Visa card to Apple Pay's Express Transit or Express Travel modes
If your iPhone is stolen or lost, completely disable Apple Pay remotely using iCloud; if you believe an unauthorized transaction has been made using your Visa card and Apple Pay, contact your card issuer immediately
The flaw relates to two different things: first, Apple's "Express Transit" or "Express Travel" mode introduced in iOS 123 in May 2019 This allows iPhone owners to make Apple Pay transactions without having to unlock their phone's screen, such as when moving quickly through subway turnstiles The second issue is with the way Visa handles such payments
When MasterCard, rather than Visa cards, were tied to Apple Pay payments, the theft did not work, the researchers said It also did not work on Samsung phones using Samsung Pay because of a similar locked screen transit mode
According to Apple's support documentation, Express Transit/Travel is supported by the London, New York, Beijing, Shanghai, Hong Kong, Los Angeles, Chicago, Washington DC, Portland, Oregon, San Francisco Bay Area, and Finnish and Japanese transit It is supported by the Finnish and Japanese transportation systems
The researchers set up store at several London Underground stations and captured the signals transmitted between contactless card readers at ticket gates and their iPhones They then programmed a handheld Proxmark RFID (radio frequency identification) tool to mimic the Transport for London card readers
The researchers found that the turnstiles broadcast a 15-byte sequence to let the iPhone know that it was interacting with the transportation system The iPhone then activated Apple Pay when it received these "magic bytes," even though it was still locked
Apple Pay transactions were then made and processed The researchers were able to use an Android phone communicating with Proxmark as a card payment system to process the transactions The attacker's Android phone need not be in close proximity to the target iPhone
"As long as you have an Internet connection, you can go to another continent from your iPhone," University of Surrey researcher Ioana Breanu told the BBC
Express Transit/Travel, however, places fairly low limits on the amount that can be charged However, the researchers found that by changing just two bits in the communication between the proxmark and the card payment system, they could override that limit
According to the research paper, Visa told the researchers that "if this attack were to raise fraud alerts, it could eventually be stopped
"We've had multiple attacks from the same card with large amounts of money, and they were never blocked or flagged as fraudulent
Visa has proposed a countermeasure to stop this attack, but the researchers added that it could easily be bypassed Instead, the researchers suggest that Visa or Apple implement a variation of the way MasterCard has successfully blocked such attacks
The researchers said they informed Apple of the vulnerability in October 2020 and Visa in May 2021 According to the researchers, each company continues to blame the other, but the researchers note on their website that "either Apple or Visa can mitigate this attack on their own"
"Apple suggested that the best solution would be for Visa to implement additional fraud detection checks," the researchers said "Visa, on the other hand, suggested that a fix should be made to Apple Pay because the problem only applies to Apple (ie, not Samsung Pay)"
Additionally, the research paper noted that "Apple advertised $100,000 to bypass the lock screen despite the fact that it did not pay the bug bounty"
And our attack bypasses the Apple Pay lock screen
"Contactless fraud schemes have been studied in the lab for more than a decade, but have proven impractical to execute on a large scale in the real world," Visa told the BBC and ZDNet
Needless to say, the researchers who discovered the flaw nearly a year ago are frustrated
University of Birmingham researcher Andreea-Ina Radu told ZDNet, "Our study provides a clear example of how a feature intended to make life easier in stages can backfire, adversely affect security, and have serious financial consequences for users"Our discussions with Apple and Visa revealed that when two industry players are each partially responsible, neither is willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely
Boureanu, Chothia, and Radu, as well as researchers including Liqun Chen and Christopher JP Newton of the University of Surrey, will present their findings at the May 2022 IEEE Symposium on Security and Privacy in May 2022 in Oakland, California, where they plan to formally present their results
Similar findings by Timur Yunusov and Leigh Galloway will be presented at Black Hat Europe in November 2021
Comments