Visa Contactless Payment Hacking Is Possible Through Apple Pay
Exploitation of Apple Pay Allows Individuals to Make Large Quantities of Unauthorized Contactless Payments on Locked iPhones
It has recently come to the knowledge of researchers that large-quantity authorized payments without any contact required can be allowed to make through iPhones that are locked by easy exploitation of a feature by Apple Pay, that has been designed for people that commute through public transport on a regular basis to quickly be able to make transactions at the ticket barriers that are able to work with Visa.
In video footage, several researchers have demonstrated that it is now possible due to a loophole in the software used by Apple in the making of Apple Pay, through which any individual is able to make contactless Visa payments through a locked iPhone. When asked, Apple commented that this matter is a serious concern for the Visa system.
According to Visa, these contactless payments have been made through secure means, and attacks that are similar to the one conducted in the viral video are completely impractical when performed outside of a lab.
It has been said by the researchers that the problem at hand-applied to the Visa cards which have been set up in Express Transit mode while being kept in the wallet of their personal iPhones. The Express Transit is a feature provided by Apple Pay that enables daily commuting individuals to be able to make contactless payments quickly without fully unlocking their iPhones, for example, while touching in and touching out at an Underground ticket barrier in London.
This is a very serious weakness in the Visa system, which works with the Apple Pay feature that has been highlighted and attacked by the researchers working in the Computer Science department of the Universities of Surrey and Birmingham.
Fraudulent contactless payment
During the demonstration of the prospective attack on Apple Pay, the scientists had only taken money from their own personal accounts. The attack to make contactless Visa payments through a locked iPhone is stated in simple terms, while many of the key details have been omitted deliberately.
By having a small-sized commercially available piece of radio equipment, place it near a locked iPhone, which tricks the phone into believing that it is dealing with a ticket barrier, as they have a similar radiofrequency. At the very same time duration, a separate smartphone with Android firmware is to run an application that has been previously developed by the researchers, which is then used to relay the signals coming from the iPhone to a terminal used for contactless payments, which could be present in a retail store or in the control of the criminals.
As the iPhone is tricked into thinking that it is payment while being at a ticket barrier, it does not require to be fully unlocked to access payment. Meanwhile, the communications of the iPhone with the terminal used for payment are modified into making the smartphone into thinking that it has been unlocked and the payment for the amount has been authorized by the owner on Apple Pay, which allows it into making some high-value transactions without putting any kind of unlock requirement including PIN, Face ID or fingerprint.
In the video, which demonstrated hacking into a feature of Apple Pay, the researchers had been able to make a transaction of about $1,000 without opening the lock on the iPhone or authorizing the amount for payment. The researchers also confirmed that the payment terminal or the Android smartphone that has been used in the process is not required to be in near proximity of the iPhone of the victim, as the Apple Pay can easily malfunction while the iPhone has a working internet connection.
Utilizing stolen iPhones
There is no evidence gathered which could confirm the authenticity of the attack, as the researchers have only demonstrated the possibility while doing it in a controlled setting while in a lab. According to a security researcher working at Pen Test Partners and no involvement in the research, said that the demonstration shows that they have really been able to innovate a piece of research and should be worked on more.
Attacking the feature by Apple Pay for contactless Visa payment authentication is similar to having a contactless terminal of credit card that is tapped into your purse or wallet. But the demonstration had a more insidious onset, as it does not require a card terminal, and only a small-sized electronic box is able to relay the fraudulent transactions from someplace else.