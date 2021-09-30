Apple Pay failure with Visa cards allows payments without owner authorization

2
Researchers have found a flaw that allows Apple Pay payments to be made from a locked iPhone, without the knowledge of the device’s owners.

This This method works even if the iPhone is in a pocket or in a backpack, and it also ignores the Apple Pay transaction limit.

Researchers at the University of Surrey in the United Kingdom, during a study on proximity payments, found that iPhones confirm transactions under certain conditions, such as password entry, Touch ID confirmation (fingerprint) and Face ID (face recognition).

However, in some scenarios, such as payment for public transport in European countries, the payment confirmation process becomes cumbersome for users. That’s why Apple introduced the “Public Express Transport” function, which allows transactions to take place without the need for authentication.

Public Express Transport only works for specific services, such as London Underground turnstiles, which have payment devices that emit a specific data string designed to activate this Apple Pay function.

According to the researchers, Apple Pay Express Public Transport mode, combined with a Visa card, can be used by criminals to make payments without users’ knowledge.

How it works

Picture showing the devices used to perform the Apple Pay failure test. (Image: Playback/BleepingComputer)

511336

The failure is due to a vulnerability in the way Visa cards are used in conjunction with Apple Pay Express Public Transport mode. When tested with MasterCard cards, the problem is unlikely to happen because of an extra check that the card issuer’s systems do on the iPhone that is trying to perform the transaction.

Researchers said it stops If the vulnerability is exploited, the following steps are required:

  • A small radio device, such as those of the proxmark brand, is placed near the iPhone with Visa card registered in Apple Pay Express Public Transport mode, tricking the cell phone into thinking it is near a transport payment terminal;
  • At the same time, a application created by the researchers runs on an Android device, sending signals from the iPhone to a payment terminal by approximation;
  • As the iPhone is thinking it is close to a transport payment terminal, it activates its Public Express Transport function, thus allowing payments to be made without unlocking the cell phone;
  • At the same time, the Android application modifies the iPhone signals being received by the payment terminal by approximation, making it understand that the cell phone Apple is unlocked and allowing transactions with high amounts to be carried out without the need to unlock the smartphone.

In the vulnerability demonstration, the researchers made a payment of approximately US$ 1,300 (about R$ 7, 1 mil at current quote) from the locked iPhone. The researchers also stated that the Android cell phone and payment terminal do not need to be close to the victim’s iPhone for the flaw to be abused, all that is needed is an Internet connection.

Researchers claim that sent the survey report to Apple and Visa in October 2021 and May 2021, respectively. The two companies responded by blaming the vulnerability to the other.

Sought out by the website BleepingComputer, the payment company issued a statement stating that its cards support the Express Public Transport feature of Apple Pay are safe and that their owners can continue to use them with confidence. She also says that payroll fraud scams have been studied for more than a decade and that they always prove impractical for use in the real world. Finally, the company emphasizes that if this flaw affects any user, victims are protected by the insurance present on their cards.

Apple also issued a statement about the vulnerability, but for the BBC portal. The company Steve Jobs founded has told the news site that this flaw is Visa’s responsibility, but that the payments company doesn’t believe this type of scam is viable for use in the real world. Apple concludes, as well as Visa, stating that, in the small possibility of a fraud like this happening to a user, the cardholders are protected by the insurance of the financial company.

Source: BBC , Bleeping Computer, iMore, MacRumors

