Dangerous flaw could be used to make contactless payments from iPhone inside someone’s bag

iPhone users have been urged to remove Visa as a transport card via Apple Pay after researchers uncovered a dangerous flaw.

Researchers from the University of Birmingham and the University of Surrey have suggested that fraudsters could use this flaw to bypass security and make unlimited contactless payments.

The experts have warned that the issue could even be exploited to make transactions from someone’s iPhone while it’s inside their bag and without their knowledge.

READ MORE: Bolt to launch e-scooters to rival London Underground and London buses

They claim the vulnerability only happens on Apple Pay when a Visa card is set up as an Express Travel Card, also known as Express Transit mode – a feature intended for owners to tap in and out of public transport without needing to unlock their phone.

Using simple radio equipment, the team were able to trick the iPhone into thinking it was communicating with a transit gate when it was actually a payment reader used by shops, known among cyber experts as a “man-in-the-middle” attack.

The Apple Pay travel feature has a flaw which could be exploited by fraudsters

This was done by identifying a unique code broadcast by transit gates or turnstiles, which was then used to interfere with the signals between the iPhone and a shop card reader.

Dr Tom Chothia, co-author of the study from the University of Birmingham said: “iPhone owners should check if they have a Visa card set up for transit payments and if so they should disable it.

“There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this they are.”

Back-end fraud detection checks were also unable to stop any payments going through in tests carried out by the group.

Researchers said they shared details of the problem with Apple and Visa, claiming both companies acknowledged the seriousness of the vulnerability but have not come to an agreement on who should implement a fix.

0 GettyImages 1028621910

MyLondon’s brilliant new newsletter The 12 is packed with news, views, features and opinion from across the city.

Every day we’ll send you a free email at around 12pm with 12 stories to keep you entertained, informed and uplifted. It’s the perfect lunchtime read.

The MyLondon team tells London stories for Londoners. Our 45 journalists cover all the news you need – from City Hall to your local streets.

Never miss a moment by signing up to The 12 newsletter here.

Visa responded by saying its cards are secure with the feature, and that cardholders should continue to use them “with confidence”.

A spokeswoman said: “Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.

“Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”

Apple has also been approached for comment.

Download the MyLondon app for the latest news and breaking updates

Get the latest London news straight on your phone without having to open your browser – and get all the latest breaking news as notifications on your screen.

The MyLondon app gives you all the stories you need to help you keep on top of what’s happening in the best city ever.

You can download it on Android here and Apple here.

“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said University of Birmingham’s Dr Andreea Radu, who led the study.

“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”

The weakness does not affect other combinations, such as Mastercard in iPhones or Visa on Samsung Pay.

Full results of the study will be presented in a paper at the 2022 IEEE Symposium on Security and Privacy.

Co-author Dr Ioana Boureanu, from the University of Surrey, added: “We show how a usability feature in contactless mobile payments can lower security.

“But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure.

“Apple Pay users should not have to trade-off security for usability, but at the moment some of them do.”

Do you want the latest London travel, crime or transport news straight to your inbox? It only takes a few seconds! Click here.

Read More
Read More


Recommended For You