A nasty Apple Pay bug, if exploited, gives hackers access to iPhone users' Visa cards, allowing them to make remote financial transactions using the victim's money. Even if one's phone is locked, malicious actors can still take advantage of this Apple Pay flaw.
Researchers at the University of Birmingham and the University of Surrey approached Visa with their findings, but the credit-card giant snubbed the investigation, concluding that the complex hack is too "impractical" to be concerned about (via BBC).
Apple Pay bug only affects iPhone users with Visa cards
The Apple Pay bug takes advantage of Express Transit, an Apple Pay perk for commuters. Express Transit lets users make easy, contactless Visa payments at travel kiosks and ticket booths. For example, with Express Transit, a user can hurriedly whip out their locked device, touch it against a ticket-gate scanner, pay, and scurry off.
The researchers discovered a weakness in how Visa handles Express Transit transactions. The investigators broke down how this hack could be executed.
- A small piece of radio equipment is placed adjacent to the targeted iPhone, "tricking it" into believing that it is in contact with a ticketing system (the researchers did not specify the type of radio equipment, presumably to prevent copycats).
- An Android phone running an app relays signals from the iOS device to a contactless payment terminal in a store.
- The iPhone believes that it's paying a ticketing system, so it doesn't prompt the user to unlock the device.
- The hacker initiates high-value transactions without needing a pin number, fingerprint or Face ID.
The Android device and payment terminal don't need to be near the target's iPhone. "[They] can be on another continent from the iPhone as long as there's an internet connection" University of Surrey's Dr. Ioana Boureanu told BBC.
According to the BBC, the researchers sent a demo video to the news platform simulating the hack, and the investigators were able to make a $1,350 Visa payment without unlocking the iPhone or authorizing the transaction.
As mentioned, the investigators told Visa about their report, but the company deemed the hack to be too complex. "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world," Visa told the researchers.
Apple concurred with Visa. The Cupertino-based tech giant said that it takes threats to users' security very seriously, but noted that the fraud highlighted in the researchers' report is unlikely to take place in the real world, especially with its multi-layer security features.
Although University of Birmingham's Dr. Andreea Radu agrees that the hack is difficult to execute, she's not on board with Apple and Visa's lackadaisical attitude toward the bug. "It has some technical complexity, but I feel the rewards from doing the attack are quite high," Radu said.
It's worth noting that the researchers also tested iPhones with Mastercard setups as well as Samsung Pay, but couldn't manage to hack them.
If you're concerned about the Apple Pay Bug, the researchers suggest disabling the Express Transit feature.