Recent research in the UK has shown us a flaw in Apple Pay that can help hackers to steal your money by making unauthorized contactless payments from your iPhone. On Thursday, researchers from the University of Birmingham and the University of Surrey released a paper that describes the process by which this flaw can be exploited.
The lock screen of your iPhone can be easily bypassed by hackers with the process. But what is the main culprit behind this vulnerability? They found the main culprit is the Express Transit feature which was first introduced in iOS 12.3 by Apple.
The reason behind the Apple Pay security flaw
This Transit feature allows iPhone users to pay quickly for rides on public transportation with the help of a card in the Wallet app. Apple mentioned that with the Transit feature, you don’t need to validate with Face ID, Touch ID, or your passcode. That means one can easily make the payment without even unlocking the phone using this feature.
But behind this exploitation, the main key is also this Transit feature. The researchers explain in the research paper that ticket readers transmit a non-standard sequence of bytes which can bypass the lock screen and they refer to these bytes as magic bytes. This transmitation of magic bytes function the Express Transit. After that, Apple Pay checks for the required criteria. And if everything is found to be fine, then it proceeds the payment.
The researchers were able to process the contactless payments using Apple Pay by mimicking a ticket reader. It only happened for VISA cards, but it was effective surpassingly.
The researchers claimed they were able to make fraudulent payment using an EMV shop reader from a locked iPhone. And probably, there is no limit for the amount.
Will Apple and Visa are going to take any step for this?
However, both of the companies are not doing anything for fixing this vulnerability. Here is what the researchers got after informing Apple and Visa.
“We disclosed this attack to both Apple and Visa, and discussed it with their security teams. Apple suggested that the best solution was for Visa to implement additional fraud detection checks, explicitly checking Issuer Application Data (IAD) and the Merchant Category Code (MCC). Meanwhile, Visa observed that the issue only applied to Apple (i.e., not Samsung Pay), so suggested that a fix should be made to Apple Pay. We verify Apple’s and Visa’s possible solutions in Tamarin and show that either would limit the impact of relaying. At the time of writing neither side has implemented a fix, so the Apple Pay Visa vulnerability remains live”
Also Read: AirTag Vulnerability Can Allow Hackers To Steal iCloud Data