‘Delete account,’ security researchers advise Apple Pay users

Commuters who use Apple Pay to tap in and out of public transport could be at risk of having “unlimited” sums of money stolen from their Visa payment cards.

person holding iphone showing social networks folder
Photo by Tracy Le Blanc on Pexels.com

Researchers from two British universities identified a vulnerability that occurs when an Apple Pay user sets a Visa credit or debit card as their “Express Transit” payment option in their iPhone’s wallet.

In a video demonstrating the vulnerability, the researchers were able to take a £1,000 (€1,158) contactless payment from a locked iPhone.

The researchers said that the security flaw only occurred when using a combination of Apple Pay and Visa. Other combinations – for example, Apple Pay and Mastercard or Samsung Pay and Visa – were not affected.

IPhone owners should check if they have a Visa card set up for transit payments, and if so they should disable it. There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are,” said study co-author Tom Chothia from the University of Birmingham.

Both companies told Euronews Next that the flaw was unlikely to be exploited in real-life situations.

How does the flaw work?

The vulnerability takes advantage of the iPhone’s Express Transit mode, which is most often used to allow a user to tap in and out of public transport without having to unlock their phone or approve the payment.

The researchers found that they could use simple radio equipment to trick an iPhone into thinking it was communicating with a ticket gate, thereby activating Express Transit mode.

However, in reality the signal was being passed wirelessly via an Android phone to a contactless payment terminal.

By modifying the code passed from the iPhone, the researchers were able to cause the contactless terminal to believe that the iPhone’s user had authorised a payment, for example by PIN, Face ID or Touch ID, removing any cash limits on the transaction.

A video of the process in action showed it took the researchers around 20 seconds to take over €1,000 from a locked iPhone.

Taking responsibility

According to the researchers, they informed Apple of the security flaw in October last year, while Visa was told in May 2021. They say that the vulnerability, however, remains unpatched.

“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said University of Birmingham research leader Andreea Radu.

“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely,” she added.

Contactless fraud ‘impractical’

Euronews Next contacted both Apple and Visa to ask why the flaw had not been addressed.

“This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place,” an Apple spokesperson said in a statement.

In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy,” the spokesperson continued.

Euronews Next pointed out that the researchers described the issue as “a combination of flaws in both Apple Pay and Visa’s system” and claimed that “either Apple or Visa could mitigate this attack on their own,” but Apple refused to comment further.

Visa told Euronews Next that the potential threat to its customers was low, as schemes targeting individuals were hard to scale up.

“Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence,” a Visa spokesperson said.

“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world,” they added.