Security researchers have discovered a major flaw in Express Transit on the iPhone that allows hackers to steal money from a user’s Visa card. They say the problem can be easily solved, but neither Apple nor Visa seem interested.
The disadvantage allows the iPhone’s contactless payment system, designed to make public transport payments easier and faster, to charge for arbitrary transactions using a device that mimics a transport terminal.
Express Transit on the iPhone has a big flaw
Express Transit on iPhone and Apple Watch does not require authentication, unlike using Apple Pay in a store or online. It interrupts this process to speed up the payment process so that users do not linger when catching trains, buses and other services.
Moreover, Apple Pay also has no payment limit, unlike contactless credit and debit cards. So, by simply using a device that mimics a public transportation terminal, hackers can charge the iPhone as much as they want with one touch.
Researchers from the Universities of Surry and Birmingham were able to take advantage of this flaw to charge a payout of £ 1,000 (approximately $ 1,345) to one iPhone, even though it was locked at the time. But it only works with Visa cards.
Those who use a MasterCard or American Express card, which uses an additional authentication procedure, are considered safe with Express Transit.
Express Transit must be enabled
Express Transit transactions cannot be performed remotely – an attacker must be close to your device to take advantage of this flaw. But it is possible that the fake payment terminal could be hidden in a bag and then touched on the user’s iPhone while in his pocket.
Express Transit is an optional feature that must be enabled manually, so your device is vulnerable only if you have activated it and connected it to a Visa card. What is worrying is that neither Apple nor Visa are willing to find a solution.
Apple blames the problem for Vis and they said The Telegraph that “Visa does not believe that this type of fraud is likely to occur in the real world given the multiple layers of security in place.” It was also pointed out that users are protected by Visa’s zero liability policy.
A Visa spokesman insisted that the cards associated with Express Transit were “safe” and that cardholders “should continue to use them with confidence”. They also refuted the findings, adding that “variations of contactless fraud schemes have been studied in laboratory environments for more than a decade and have proven impractical to perform in large numbers in the real world.”
This is different
Although Apple and Visa look nonchalant, there seem to be good reasons to worry about iPhone owners. Unlike other Apple Pay transactions, Express Transit payments do not have to be approved using a Face ID, Touch ID or password – and there is no limit to how much can be spent.
It is therefore perfectly likely that a hacker could hide a payment terminal in a bag and then keep it near the iPhone or Apple Watch of an unsuspecting victim on a traffic train or platform to charge money that the iPhone owner knows nothing about until goes to their bank account or is on a statement.
The only way to prevent this is to simply stop using Visa cards with Express Transit.
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.