A team of researchers in the UK has uncovered security issues related to Visa cards and Apple Pay that could result in attackers bypassing the lock screen and making fraudulent payments.
According to research, the error occurs when Visa cards are installed in Apple’s Express Transit mode on the iPhone. The error could allow attackers to bypass the iPhone’s lock screen and make contactless payments without a password.
Apple’s Express Transit mode allows customers to quickly pay for transportation by credit, debit, or transit card without unlocking the device.
The researchers say the vulnerability only affects Visa cards stored in the Wallet. The cause is a unique code emitted by a transit door or transit turn signals that signal the iPhone to unlock Apple Pay.
Using conventional radio equipment, the researchers were able to carry out an attack that tricked the iPhone into believing it was at a transit gate. The proof-of-concept attack involved an iPhone with Express Transit enabled allowing fake payments to a smart payment reader. A similar attack could occur in the wild by broadcasting a unique code and modifying a set of variables.
However, researchers point out that the attack does not seem practical on a large scale. Even if an attacker has managed to do so, banks and financial institutions have other mechanisms in place to deter fraud by detecting suspicious transactions.
The deficiency was discovered by researchers from the University of Birmingham and the University of Surrey in the UK. The authors of the paper, which will be published at the IEEE Symposium 2022 on Security and Privacy, are Andreea-Ina Radu, Tom Chothia, Christopher JP Newton, Ioana Boureanu and Liqun Chen.
Researchers have warned Apple of the first in October 2020 and Visa in May 2021.
In a statement to ZDNet, Visa says this type of attack is nothing new and customers have no reason to worry.
“Variations of contactless fraud schemes have been studied in laboratory environments for more than a decade and have been shown to be impractical to execute in large numbers in the real world,” the credit card company wrote. “Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security throughout the ecosystem.”
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.