Apple Pay payments can be stolen from your iPhone over the air, and the problem still exists because neither Apple nor Visa wants to be the one to fix it, UK-based researchers say.
The researchers, from the universities of Birmingham and Surrey, showed in a new website and research paper that they could replicate Transport for London contactless-card readers using off-the-shelf equipment and steal £1,000 (about $1,350 U.S.) from iPhones using Apple Pay as long as the payments were tied to a Visa card.
- The best Samsung watch in 2021
- The best Mac antivirus software
- Plus: YouTube TV's cord-cutter nightmare delayed as NBCU channels stay for now
Because of this, a hacker or crook with the right equipment in a coat pocket could lurk in subway stations in major cities and capture Apple Pay transactions from passersby, then "replay" the transactions at retail stores anywhere in the world.
Phone thieves could also use this method to extract money from locked iPhones that are continuously powered on.
"Perhaps the greatest worry is for a lost or stolen phone," Pen Test Partners head Ken Munro, who was not involved in this research, told the BBC. "The crook doesn't have to be concerned about being spotted by others as they carry out the attack any more."
Yet because of a dispute over whose system is at fault, Apple and Visa are apparently pointing fingers at each other.
"There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this they are," researcher Tom Chothia, of the University of Birmingham, told the BBC.
"We take any threat to users' security very seriously," Apple told Tom's Guide. "This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.
"In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy."
How to protect yourself from this attack
To protect yourself from this kind of attack, do not tie a Visa card to Apple Pay's Express Transit or Express Travel mode, which are explained below.
If your iPhone is stolen or lost, use iCloud to remotely disable Apple Pay altogether. If you believe fraudulent transactions have been made using your Visa card and Apple Pay, inform your card issuer immediately.
Why this attack can happen
The flaw has to do with two different things. The first is Apple's "Express Transit" or "Express Travel" mode, which was introduced with iOS 12.3 in May 2019. It permits Apple Pay transactions without the iPhone owner unlocking the phone's screen, such as when moving rapidly through a subway turnstile. The second issue is in the way Visa handles such payments.
With a MasterCard instead of a Visa card tied to the Apple Pay payment, the theft didn't work, the researchers said. Nor did it work on Samsung phones using Samsung Pay, which has a similar locked-screen transit mode.
According to an Apple support document, Express Transit/Travel is supported on transit systems in London, New York, Beijing, Shanghai, Hong Kong, Los Angeles, Chicago, Washington, D.C., Portland, Oregon, the San Francisco Bay Area and throughout Finland and Japan.
How the hack works
The researchers set up shop in several London Underground stations and captured the signals sent between the contactless-card readers at the turnstiles and their own iPhones. They then programmed handheld Proxmark RFID (radio frequency identification) tools to mimic the Transport for London card readers.
The researchers found that the turnstiles broadcast a 15-byte sequence to let the iPhones know that they were interacting with a transit system. The iPhones then activated Apple Pay upon receipt of these "magic bytes," despite the iPhones still being locked.
After that, an Apple Pay transaction could be made and processed. The researchers used an Android phone communicating with the Proxmark to act as a card payment system and were able to process transactions. The attacker's Android phone does not need to be close to the targeted iPhone.
"It can be on another continent from the iPhone as long as there's an internet connection," researcher Ioana Boureanu of the University of Surrey told the BBC.
Overriding the payment limit
However, Express Transit/Travel places a fairly low limit on the amount that can be charged. But the researchers found that they need to change only two bits in the transmission between the Proxmark and the card-payment system to override that limit.
Visa told the researchers that "if this attack was to raise fraud alerts ... it would be eventually stopped," according to the research paper. "We performed our attack multiple times, on large values, from the same card, and we were never blocked and flagged for fraud."
Visa has proposed a counter-measure to stop this attack, the researchers said, but they added that it could easily be bypassed. Instead, the researchers propose that Visa or Apple implement a variation on the method that MasterCard uses to successfully block these attacks.
The researchers say they told Apple of this vulnerability in October 2020 and Visa in May 2021. Each company, say the researchers, continues to blame the other, although the researchers point out on their website that "either Apple or Visa could mitigate this attack on their own."
"Apple suggested that the best solution was for Visa to implement additional fraud detection checks," states the research paper. "Meanwhile, Visa observed that the issue only applied to Apple (i.e., not Samsung Pay), so suggested that a fix should be made to Apple Pay."
Furthermore, the research paper adds, "Apple did not pay a bug bounty, even though they advertise $100,000 for bypassing a lock screen, and our attack bypasses the Apple Pay lock screen."
"Contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world," Visa told the BBC and ZDNet.
Needless to say, the researchers who discovered this flaw nearly a year ago are frustrated.
"Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users," researcher Andreea-Ina Radu of the University of Birmingham told ZDNet.
"Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely."
The researchers, who aside from Boureanu, Chothia and Radu include Liqun Chen and Christopher J.P. Newton of the University of Surrey, plan to formally present their results at the IEEE Symposium on Security and Privacy in May 2022 in Oakland, California.
Similar findings by Timur Yunusov and Leigh Galloway will be presented at Black Hat Europe in November 2021.