Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
55,026
17,408


Researchers in the U.K. have demonstrated how large unauthorized contactless payments can be made on locked iPhones by exploiting Apple Pay's Express Transit feature when set up with Visa.

apple-pay-express-transit-london.jpg

Express Transit is an Apple Pay feature that allows for tap-and-go payment at ticket barriers, eliminating the need to authenticate with Face ID, Touch ID, or a passcode. The device does not need to be wakened or unlocked to use Express Transit.

Computer Science researchers from Birmingham and Surrey Universities demonstrated to the BBC how the attack works by exploiting a weakness in the Visa contactless system through the use of a small piece of commercially available radio equipment, which is placed near the phone and masquerades as a ticket barrier.

An Android phone running an app developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal and modifies the communications to fool the terminal into acting as if the iPhone has been unlocked and a payment authorized.

In demonstrating the attack, researchers made a contactless Visa payment of £1,000 from a locked iPhone. The scientists only took money from their own accounts. The researchers said the Android phone and payment terminal used don't need to be near the victim's iPhone as long as there's an internet connection.

Apple told the BBC the matter was an issue with the Visa system.
"We take any threat to users' security very seriously," said Apple. "This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy."
The researchers said the attack might be easiest to deploy against a stolen iPhone, although there's no evidence that the hack has been used in the wild. Visa said payments were secure and attacks of this type were impractical outside of a lab.
"Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence," said a Visa spokesperson. "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world."
The researchers told the BBC they first approached Apple and Visa with their concerns almost a year ago, but despite "useful" conversations, the problem has not yet been fixed. The researchers also tested Express Transit with Mastercard but found that the way its security works prevented the attack.

"It has some technical complexity," said Dr Andreea Radu, of the University of Birmingham, who led the research. "But I feel the rewards from doing the attack are quite high. In a few years these might become a real issue."

Dr Tom Chothia, also at the University of Birmingham, advised iPhone users to check if they have a Visa card set up to use Express Transit and if so, disable it. "There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this they are," he said.

Article Link: Security Experts Warn of Apple Pay Express Transit Hack That Enables Large Unauthorized Visa Payments From Locked iPhones
 
Last edited:

Pezimak

macrumors 6502
May 1, 2021
477
324
I appreciate Visa defending here claiming it's not possible to do outside a lab and Apple seemingly just passing the blame and responsibility onto Visa, but organised gangs will find a way regardless if the exploit exists, bedsides I find it incredibly stupid to allow your phone to be used for payments of anything WITHOUT unlocking it in anyway.
I suggest they forget the convenience and activate some security. People will just have to unlock there phones, better safe then sorry as they say.
 
Last edited:

haruhiko

macrumors 603
Sep 29, 2009
6,117
4,916
Credit card itself is a risky payment method… a tap on the card can take away your money… or even just copy your number and enter somewhere online. A balance has to be struck between convenience and risk. If you eliminate all risk, there is no convenience left. Apple Pay is already a very good middle ground.
 
Last edited:

Richu

macrumors newbie
Apr 23, 2021
4
19
Tbh the consumers aren’t at risk since VISA covers eventual losses. There’s nothing to be upset about.

There’s a countless number of scams that can be run against VISA. that they do risk/reward calculations on different prevention systems.
- A lot of the time the scams aren’t profitable (or even doable) for the scammer to run at scale
- Other times it’s not profitable to prevent at scale, thus better to just absorb the cost and compensate the consumer
- Lastly, sometimes it makes sense to prevent the scam... A lot of we’ve never heard of because they’re already prevented
 

Rooster 🐓

macrumors newbie
Jun 7, 2021
18
37
Wish I’d had these security experts with me at the dentist this week when Apple Pay wouldn’t process payment for my treatment!

I’m personally unconcerned by this - lab based with experts and not representative of the real world - and banks would refund any fraud. As has been said, it’s a risk with anything contactless, such as keyless car entry.

For me, the convenience and benefits far outweigh the risks.
 

szw-mapple fan

macrumors 68020
Jul 28, 2012
2,493
2,584
I appreciate Visa defending here claiming it's not possible to do outside a lab and Apple seemingly just passing the blame and responsibility onto Visa, but organised gangs will find a way regardless if the exploit exists, bedsides I find it incredibly stupid to allow your phone to be used for payments of anything WITHOUT unlocking it in anyway.
I suggest they forget the convenience and activate some security. People will just have to unlock there phones, better safe then sorry as they say.
You can always turn off express transit if you’re afraid of this kind of attack. But since visa is covering the risk anyways, I don’t see much risk for the consumer, especially compared to one tap credit cards.
 

Davelfc

macrumors 6502
Mar 2, 2014
290
462
Liverpool
Tbh the consumers aren’t at risk since VISA covers eventual losses. There’s nothing to be upset about.

There’s a countless number of scams that can be run against VISA. that they do risk/reward calculations on different prevention systems.
- A lot of the time the scams aren’t profitable (or even doable) for the scammer to run at scale
- Other times it’s not profitable to prevent at scale, thus better to just absorb the cost and compensate the consumer
- Lastly, sometimes it makes sense to prevent the scam... A lot of we’ve never heard of because they’re already prevented
Yeah they never pass these losses on to other customers.
 

tmiw

macrumors 68020
Jun 26, 2007
2,275
520
San Diego, CA
So, how exactly could this be fixed by Apple and/or Visa? Other than simply disabling Express Transit for anything other than closed-loop transit agency cards, of course.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.