Security researchers have found a way to make fraudulent Apple Pay payments from a locked iPhone. Not all contactless payments via Apple Pay are affected by the vulnerability.
According to the BBC report, Apple Pay can be used with Visa cards to enable unlimited transactions from a locked iPhone. The prerequisite for this is the activated express mode. The method is akin to a digital version of pickpocketing, according to the BBC. It works even when the iPhone is in a person’s pocket. According to the researchers, there is also no transaction limit.
Payment Without Unlocking The Device
When investigating relay attacks on contactless payments, researchers from the University of Birmingham and the University of Surrey in the UK found that iPhone devices simply confirm fraudulent transactions under certain conditions. They successfully tested the attack on the iPhone 7 and iPhone 12. In order for a payment to be made, iPhone users usually need to authorize it by unlocking the phone with Face ID, Touch ID, or a passcode. However, there are exceptions, for example, intended for a quick transaction when paying on public transport.
Express Transit is a feature that allows a transaction to be carried out without unlocking the device. Apple provides that the Express Transit function only works with certain services, for example at ticket offices. According to the researchers’ findings, however, the function can be used in combination with a Visa card to bypass the Apple Pay lock screen and pay any amount with an EMV reader without the user authorizing or even noticing.
The researchers were able to emulate a ticket-barrier transaction using a Proxmark device that acted as a card reader and communicated with the target iPhone and an Android phone with an NFC chip, which in turn communicates with a payment terminal communicated. However, the attack is complicated and there is no known active exploitation already. When the researchers examined the problem more closely, they discovered that the Card Transaction Qualifiers (CTQ), which are responsible for setting the limits for contactless transactions, could be modified. This means that there is no longer any limit for the “secret” payment.
Vulnerability is not fixed yet
The tests were only successful with iPhone and Visa cards. Mastercard checks whether a locked iPhone only accepts transactions from card readers with a transit merchant code. When trying the Samsung Pay method, the researchers found that transactions with locked Samsung devices are always possible. However, the value is always zero and the transport companies calculate the tickets based on the data associated with these transactions.
The results of this investigation were sent to both Apple and Visa in October 2020 and May 2021, but neither fixed the issue. Instead, the two companies blamed each other.
Manager at Research Snipers, RS-NEWS, Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.