Apple Pay and Visa flaw leaves iPhones vulnerable to hackers

Vulnerabilities in Apple Pay and Visa could enable hackers to bypass an iPhone’s Apple Pay lock screen and make unauthorised contactless payments, according to new research.

Experts at the University of Birmingham and the University of Surrey found that hackers could also change the contactless limit, meaning transactions of any amount could be carried out.

The researchers discovered that the vulnerability occurs when Visa cards are set up in Express Transit mode, which is used by many commuters at train and underground stations.

The weakness lies in the Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay.

Using simple radio equipment, the team identified a unique code broadcast by the transit gates, or turnstiles. This code, which the researchers nicknamed the ‘magic bytes’ will unlock Apple Pay.

The team found they were then able to use this code to interfere with the signals going between the iPhone and a shop card reader. By broadcasting the magic bytes and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader.

At the same time, the researchers’ method persuades the shop reader that the iPhone had successfully completed its user authorisation, so payments of any amount can be taken without the iPhone’s user’s knowledge.

“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said Dr Andreea Radu, who led the research at the School of Computer Science, University of Birmingham. “Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”

A spokesperson from Apple said: "We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy."

A spokesperson from Visa said: "Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."

    Share Story:

Recent Stories


The Future of Intelligent Finance
FStech Group Editor Mark Evans sits down with Jason Cao, President of Global Financial Services Business Unit, Enterprise BG at Huawei ahead of its Intelligent Finance Summit which was held on 3rd and 4th of June in Shanghai. This Q&A delves into key trends in digital transformation of the financial services industry as well as a look at how data, robotic infrastructure, intelligent storage and innovative technologies are shaping the future for FSIs.

The Rise of Instant Payments
Instant payments are creating new business opportunities for banks by providing more touchpoints than ever. With these evolutions underway, Featurespace brought leading industry experts together to discuss how they are protecting customers from fraudsters in real time, utilizing innovative and disruptive solutions to reduce fraud. Click here to find out more.

Offloading Cyber Risk in the Cloud
As cyber attacks and data breaches are in the news on an increasingly regular basis - with regulatory penalties and customer trust on the line for financial services firms - it has never been more crucial to be compliant in the cloud.

This video, with Akamai’s EMEA director of security technology and strategy Richard Meeus, will help explain what your company can be doing to make sure it’s not embroiled in the next big fine or front-page scandal.