Friday, October 1, 2021
The mode is meant to speed small-dollar contactless transactions in mass transit situations, such as subways, while an iPhone remains locked. But researchers said iPhones also can be tricked into allowing larger Visa card payments while locked.
"We investigate transport payment modes and find that we can build on relaying to bypass the Apple Pay lock screen and illicitly pay from a locked iPhone to any EMV reader, for any amount, without user authorization," the researchers wrote.
The team, from the University of Birmingham and the University of Surrey, uncovered the flaw as part of a project dubbed TimeTrust, funded by the UK National Cyber Security Center. Their findings are to be presented at an upcoming security conference, but a paper explaining how the flaw was uncovered, along with a video demonstration, was posted online by the University of Surrey.
The vulnerability is tied to a combination of flaws in the Apple Pay and Visa systems, the researchers reported, and does not affect Mastercard on Apple Pay or Visa on Samsung Pay.
In the demonstration video, the team was able to make a small payment without unlocking the iPhone or taking authorization steps. They did so by using a commercially available piece of radio equipment, and an Android phone running an application developed by the team to trick an iPhone into thinking it was communicating with a contactless terminal. Because the iPhone thought it was dealing with a transit terminal, it didn't need to be unlocked.
The BBC reported that it saw a demonstration where communications with the bogus payment terminal were modified into thinking the iPhone had been unlocked, and a high-value payment was authorized without entering a PIN, fingerprint or facial recognition tools.
The researchers said the key to successfully launching such an attack requires close proximity to an iPhone and can be accomplished while standing next to an iPhone user or by coming into possession of a lost or stolen iPhone.
The researchers said they reported the security flaw to both Apple and Visa, but each company pointed the finger of blame at the other, and neither has taken steps that rectify the problem.
"We disclosed this attack to both Apple and Visa, and discussed it with their security teams," the team wrote. "Apple suggested that the best solution was for Visa to implement additional fraud detection checks, explicitly checking the Issuer Application Data (IAD) and the Merchant Category Code (MCC). Meanwhile, Visa observed that the issue only applied to Apple (that is, not Samsung Pay) and suggested that a fix should be made to Apple Pay."
The researchers said they have verified a fix that either company could put in place. "At the time of writing neither has implemented a fix, so the Apple Pay Visa vulnerability remains live," they added.
So far, these attacks have only occurred in a lab, and there is no evidence criminals are yet exploiting the vulnerability, BBC reported.
Visa told BBC that the attack described was "impractical." It elaborated, stating, "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world."
But Dr. Andreea-Ina Radu of the University of Birmingham who led the project team wasn't convinced. "It has some technical complexity, but I feel the rewards from doing the attack are quite high," she told the BBC. She added that left unaddressed "in a few years these might become a real issue."
Radu and her team recommended that all iPhone users verify that they do not have a Visa card set up on transit mode; if they do, they should disable it. 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
