Researchers have discovered a flaw in how Apple’s Express Transit feature works with Visa payment cards that could allow hackers to charge money to your Visa accounts set up in Apple Pay even when your iPhone is locked.
According to the BBC, researchers in the Computer Science departments of Birmingham and Surrey Universities were able to make a contactless Visa payment of £1,000 from a locked iPhone, without any authorization required from the device’s owner.
The problem, which seems to occur specifically with Visa cards, has to do with Apple Pay Express Transit, a feature that Apple unveiled in iOS 12 that allows you to make quick contactless payments from an iPhone or an Apple Watch without unlocking your device or even manually bringing up a specific payment card.
Instead, users designate one of their payment methods to be used specifically for Express Transit in their iPhone Wallet & Apple Pay settings. When an iPhone or Apple Watch is waved near a transit payment terminal, the appropriate fare is automatically deducted from that payment card without the need for authorization.
It’s understandably a very useful feature for busy commuters, and it’s been rolled out in cities from London to New York, where iPhone and Apple Watch users can just quickly and easily tap their devices to pay their fares and then move on right away.
While Express Transit doesn’t require authorization for payments, the system is also only supposed to be used to handle smaller transactions — those that would be typical of a transit fare. Unfortunately, it appears that Apple is relying on the payment processors to provide the necessary anti-fraud measures, and it looks like Visa may not be up to the challenge.
‘A Concern with a Visa system’
According to the BBC report, an Apple spokesperson rolled the problem back onto Visa’s shoulders, saying it was “a concern with a Visa system,” and not really Apple’s problem.
While you might think that Apple should take some responsibility for enforcing payment limits on features like Express Transit, it’s also fair to say that’s not really its job in this context, and in fact its agreements with Visa, Mastercard, and others may even preclude Apple from being involved in authorizing transactions, since that’s exclusively their responsibility.
Apple’s role is simply to pass the information on to the payment network and let them deal with it.
Since this problem is specific to Visa — researchers tested the same scenario with Mastercard but “found that the way its security works prevented the attack,” and other sources have indicated that other payment networks like American Express have similar protections in place.
The researchers also noted they approached both Apple and Visa almost a year ago with these concerns, and while they had “useful” conversations, the problem remains unfixed.
When contacted by the BBC, Visa downplayed the issue, saying that this attack was “impractical,” since it requires somewhat specialized equipment and very close contact to a potential victim’s iPhone or Apple Watch.
Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.
Visa
An Apple spokesperson basically suggested that it’s really up to Visa to decide whether this is a problem or not, adding that the company’s zero liability policy would protect its cardholders from such unauthorized payments anyway.
We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.
Apple
How It Works
The team of researchers demonstrated the attack by taking money from their own accounts, using specifically modified equipment that tricks the iPhone into thinking it’s talking to a transit payment system.
While the group naturally didn’t go into specifics, they did say that all that’s required is a “small commercially available piece of radio equipment” and an Android phone running a custom application.
The Android smartphone relays the information from the iPhone to another contactless payment terminal, which could be one in any retail store, or one that the criminals themselves control.
Essentially, what is happening here is that since the iPhone believes it’s talking to a legitimate transit payment terminal, it gives up the Visa credentials without being unlocked. That information is captured and “replayed” into a legitimate payment terminal, which can be set to charge any amount that the attackers decide upon.
The attacker’s phone and payment terminal used to authorize the transaction also don’t need to be anywhere near the victim’s iPhone, which could potentially make it much harder to track down the source of the attack.
It can be on another continent from the iPhone as long as there’s an internet connection.
Dr Ioana Boureanu, University of Surrey
Despite Visa’s insistence that the attack is impractical, lead researcher Dr. Andreea Radu says that complex attacks that work in the lab do end up being used by criminals, especially if there’s the potential for a large payoff.
It has some technical complexity – but I feel the rewards from doing the attack are quite high. In a few years these might be become a real issue.
Dr. Andreea Radu, University of Birmingham
How to Protect Yourself
To be clear, the researchers have only demonstrated this attack in a lab environment, and there’s been no evidence that it’s currently being exploited by anybody.
This isn’t all that different from the contactless credit card attacks that have been common knowledge for over a decade now, except of course for the fact that one of the selling points of Apple Pay is that it’s supposed to be more secure.
Further, a physical contactless card can be placed inside an RFID-shielded wallet, but that’s not really an option for an iPhone or an Apple Watch, both of which are also more likely to be used out in the open rather than hidden away in your pocket or purse.
Fortunately, if you’re concerned you could fall victim to this, there’s a very easy way to protect yourself — just avoid using a Visa card for Express Transit. Here’s how to check that:
- Open the Settings app on your iPhone.
- Scroll down and tap Wallet & Apple Pay.
- Under Transit Cards, tap Express Transit Card. A checkbox appears beside the card you’re currently using for Express Transit.
- Tap to either select an alternate card, or tap None to disable Express Transit entirely.
If you have an Apple Watch, you will need to check this as well, since it’s not tied to the Express Transit setting on your iPhone:
- Open the Watch app on your iPhone.
- Scroll down and tap Wallet & Apple Pay.
- Under Transit Cards, tap Express Transit Card. A checkbox appears beside the card you’re currently using for Express Transit.
- Tap to either select an alternate card, or tap None to disable Express Transit entirely.
There’s also no need to have Express Transit enabled at all unless you live in a city where it’s available and regularly use that city’s transit system. In this case, selecting “None’ is the most secure option.