According to new research, vulnerabilities in Apple Pay and Visa could allow hackers to bypass an iPhone’s Apple Pay lock screen and perform contactless payments.
The vulnerability was discovered by researchers from the Universities of Birmingham and Surrey when Visa cards are set up in ‘Express Transit mode’ in an iPhone’s wallet.
Transit mode is a feature on many smartphones that allows commuters to make a quick contactless mobile payment at a turnstile, such as an underground station, without the need for fingerprint authentication.
“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said researcher Andreea Radu from the University of Birmingham.
The flaw is in the collaboration of the Apple Pay and Visa systems and does not affect other combinations, such as Mastercard in iPhones or Visa on Samsung Pay, according to the study, which will be presented at the 2022 IEEE Symposium on Security and Privacy.
The team identified a unique code broadcast by the transit gates, or turnstiles, using simple radio equipment. This code, dubbed “magic bytes” by the researchers, will enable Apple Pay.
The team discovered that they could use this code to interfere with signals between the iPhone and a shop card reader. They were able to fool the iPhone into thinking it was talking to a transit gate when, in fact, it was talking to a shop reader by broadcasting the magic bytes and changing other fields in the protocol.
Simultaneously, the researchers’ method convinces the shop reader that the iPhone has successfully completed its user authorization, allowing payments of any amount to be taken without the iPhone’s user’s knowledge.
The researchers discovered that their method could also be used to circumvent the contactless limit, allowing transactions of any amount to be performed.