Visa and Apple Pay vulnerabilities leaves iPhone users open to payment fraud

Experts from the Surrey Centre for Cyber Security and the University of Birmingham found their approach could also be used to bypass the contactless limit allowing transactions of any amount to be performed. Their results will be presented in a paper at the 2022 IEEE Symposium on Security and Privacy. 

The researchers discovered the vulnerability occurs when Visa cards are set up in ‘Express Transit mode’ in an iPhone’s wallet. Transit mode is a feature on many smartphones that enables commuters to make a swift contactless mobile payment at, for example, an underground station turnstile, without fingerprint authentication.  

The weakness lies in the ApplePay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones or Visa on Samsung Pay. 

Using simple radio equipment, the team identified a unique code broadcast by the transit gates or turnstiles. This code, which the researchers nicknamed the ‘magic bytes’, will unlock Apple Pay. The team found they were then able to use this code to interfere with the signals going between the iPhone and a shop card reader. By broadcasting the magic bytes and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader. 

At the same time, the researchers’ method persuades the shop reader that the iPhone had successfully completed its user authorisation, so payments of any amount can be taken without the iPhone’s user’s knowledge. 

Dr Andreea Radu, in the School of Computer Science at the University of Birmingham, led the research. She said: “Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users. 

 

“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.” 

 

Co-author Dr Ioana Boureanu from the University of Surrey’s Centre for Cyber Security added: “We show how a usability feature in contactless mobile payments can lower security. But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure. ApplePay users should not have to trade-off security for usability, but --at the moment-- some of them do.” 

 

Co-author Dr Tom Chothia, also in the School of Computer Science at the University of Birmingham, said: “iPhone owners should check if they have a Visa card set up for transit payments and if so they should disable it. There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are.” 

 

More details and a video of a £1000 payment being taken from a locked iPhone are available at https://practical_emv.gitlab.io 

This work is part of the TimeTrust project, funded by the UK National Cyber Security Centre (NCSC), lead by the University of Surrey, in collaboration with the University of Birmingham, and running under the RISE Research Institute. Co-authors of this project include Dr Christopher Newton and Professor Liqun Chen from the University of Surrey.

...

Notes to editor 

• Radu et al (2021). ‘Practical EMV Relay Protection’. 2022 IEEE Symposium on Security and Privacy.