Cybersecurity researchers have revealed an unrepaired flaw in Apple Pay that attackers could abuse to make an unauthorized Visa payment with a locked iPhone by taking advantage of the Express Travel mode set in the device’s wallet.
“An attacker only needs a stolen, fed into iPhone. Transactions can also be transmitted from an iPhone inside someone’s bag, without their knowledge,” a group of academics from the University of Birmingham and the University of Surrey said. . “The attacker does not need help from the merchant and the backend fraud detection controls have not stopped any of our test payments.”
Express Travel is a feature that allows iPhone and Apple Watch users to make quick contactless payments for public transportation without having to activate or unlock the device, open an app, or even validate with Face ID, Touch ID, or a password.
The man-in-the-middle (MitM) replay and retransmission attack, which involves bypassing the lock screen to illicitly make a payment to any EMV reader, is possible due to a combination of flaws in the Apple Pay and Visa system. , and it doesn’t affect, say, Mastercard on Apple Pay or Visa cards on Samsung Pay.
The modus operandi is based on mimicking a transit gate transaction by using a Proxmark device that acts as an EMV card reader that communicates with the victim’s iPhone and an NFC-enabled Android application that works as an emulator. card to transmit signals to a payment terminal.
Specifically, it takes advantage of a unique code, also known as Magic Bytes, transmitted through transit gates to unlock Apple Pay, resulting in a scenario where, by replaying the sequence of bytes, the Apple device is tricked into authorizing a unauthorized transaction as if it originated at the banknote barrier, when, in fact, it has been activated through a contactless payment terminal under the control of the attacker.
At the same time, the EMV reader is also tricked into believing that user authentication has been performed on the device, allowing payments of any amount to be made without the knowledge of the iPhone user.
Apple and Visa were alerted to the vulnerability in October 2020 and May 2021, respectively, the researchers said, adding that “both parties acknowledge the severity of the vulnerability, but have not reached an agreement on which party should implement a fix. “.
In a statement shared with the BBC, Visa said this type of attack was “impractical”, adding: “Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to run at scale in the real world. “
“This is a concern with the Visa system, but Visa does not believe that this type of fraud can occur in the real world given the multiple layers of security in place,” an Apple spokesperson told the UK national broadcaster.
Author: Ravie Lakshmanan