Researchers in England have flagged a flaw that could allow hackers to remotely drain iPhones of cash if they have a Visa bank card connected to pay in “Express Transit mode” — even if the devices are locked at the time.
Express Transit is an Apple Pay feature that allows commuters to make a quick, contactless payment without unlocking their phone at turnstiles and other mass transit gates.
The researchers from the University of Birmingham in England and the University of Surrey published a two-minute video demonstrating how to steal £1,000 with the hack.
The researchers used basic radio equipment to interfere with the signals going between the iPhone and the card reader, and tricked it into thinking it was paying for travel – when in fact it was paying into a separate card reader.
“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said Dr. Andreea Radu, from the University of Birmingham, who led the research.
“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”
Express Transit is an Apple Pay feature that allows commuters to make a quick, contactless payment without unlocking their phone.Andreea-Ina Radu et al.
Co-author Dr. Tom Chothia, also from the University of Birmingham, urged iPhone users to check if they have a Visa card set up for transit payments and to disable it if so.
While the researchers were able to exploit the vulnerability in the lab, there’s no indication it’s currently being used to steal money by criminals.
“We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place,” an Apple spokesperson said in a statement.
The researchers used basic radio equipment to interfere with the signals going between the iPhone and the card reader, and tricked Apple Pay into thinking it was paying for travel.Andreea-Ina Radu et al.
“In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”
Visa said replicating the hack in the real world be “impractical,” according to a statement given to the BBC.
“Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence,” a representative for the financial services firm said.
Visa responded to the study and claimed replicating the hack in the real world be “impractical.”Alamy Stock Photo
“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.”