How Apple Pay Visa Contactless Hack Happen? Researchers find Answers

Researchers has now found how Apple Pay and Visa contactless hack happen to prevent people from loosing their money if they loose their iPhones.

Researchers have discovered a vulnerability in how Visa systems interact with Apple Pay’s “Express Transit” feature, which allows commuters to make quick contactless payments without unlocking their iPhone. You have to be careful and Prevent Yourself from Falling into Charity Scam & Fraud This Holiday Season. Always keep your phone safe from unauthorized users when using Apple Pay for Online and in-Store Payment.

This weakness allows unauthorized contactless payments, including large transactions, to be made on locked iPhones. In a video demonstration, researchers successfully made a £1,000 contactless payment using a locked iPhone and a Visa card set up in “Express Transit” mode.

Apple has acknowledged the issue, stating that it is a concern with the Visa system. Visa, on the other hand, claims that payments made through their system are secure and that such attacks are impractical outside of a controlled laboratory environment.

The researchers from Birmingham and Surrey Universities’ Computer Science departments have identified this problem and highlighted the specific vulnerability in the interaction between Visa systems and the “Express Transit” feature.

It is important for Visa and Apple to address this vulnerability to ensure the security and integrity of contactless payment systems.

Demonstration of the Apple Pay Visa Attack

During the demonstration, the researchers emphasized that they only accessed funds from their own accounts and did not engage in any malicious activities.

To explain the attack in simplified terms, here are the key steps involved, although certain important details have been intentionally excluded:

  1. A commercially available radio device is placed near the targeted iPhone, tricking it into believing it is interacting with a ticket barrier.
  2. Simultaneously, an Android phone running a specific application developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal, which can be under the control of the criminals or located in a shop.
  3. Since the iPhone assumes it is making a payment at a ticket barrier, it does not require unlocking.
  4. Meanwhile, the communication between the iPhone and the payment terminal is altered to deceive the terminal into thinking the iPhone has been unlocked and the payment has been authorized. This allows for high-value transactions to be processed without the need for a PIN, fingerprint, or Face ID verification.
  5. In a video demonstration witnessed by the BBC, the researchers successfully made a £1,000 Visa payment without unlocking the iPhone or explicitly authorizing the transaction.

The researchers highlight that the Android phone and payment terminal do not need to be physically close to the targeted iPhone. As long as an internet connection is available, the devices can be located on different continents, as explained by Dr. Ioana Boureanu from the University of Surrey. New update: How to Know if Your Bank is Contacting You or an Online Scammer?

Similar Posts:

Stolen iPhones

Currently, the researchers have only demonstrated the attack in a controlled laboratory environment, and there is no evidence to suggest that criminals are actively exploiting this vulnerability.

Ken Munro, a security researcher from Pen Test Partners who was not involved in the research, expressed that the findings were “a truly innovative piece of research” and emphasized the need for a swift solution to address the issue.

He likened the attack to tapping a contactless credit card terminal against someone’s wallet or purse, but he noted that this particular attack was even more malicious. It no longer requires the card terminal itself, but rather a small electronic device capable of relaying fraudulent transactions elsewhere.

Munro raised concerns, particularly regarding lost or stolen phones. He highlighted that the perpetrator no longer needs to worry about being noticed while carrying out the attack.

The researchers from the university also suggested that the attack might be most easily executed against a stolen iPhone. You can browse through “What You Need to Know About Scam SMS & Email this Year“.

Apple Pay Visa Contactless Hack
Apple Pay Visa Contactless Hack

Concerns of Researchers and Apple Pay users

Almost a year ago, the researchers initially approached Apple and Visa to express their concerns about the issue, and while there have been constructive discussions, the problem remains unresolved.

Visa’s perspective is that this type of attack is “impractical.” The company assured the BBC that Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue using them with confidence. According to Visa, similar contactless fraud schemes have been studied in controlled environments for over a decade and have proven to be impractical to execute on a large scale in the real world.

It’s worth noting that Visa’s fraud detection systems might detect and block unusual spending patterns. However, the researchers did not encounter this issue during their laboratory tests. Additionally, there is the practical challenge of physically accessing a victim’s phone.

If individuals suspect they have lost their phone, they can utilize Apple’s iCloud to block Apple Pay or remotely wipe the device. They can also notify Visa to block payments and take appropriate action.

Apple’s Response to BBC

Apple responded to the BBC by stating that they take any threat to user security seriously. While they acknowledge the concern with a Visa system, they believe the multiple layers of security in place make this type of fraud unlikely to occur in the real world. Apple further emphasized that if an unauthorized payment were to occur, Visa’s zero liability policy would protect cardholders.

However, Dr. Andreea Radu, the lead researcher from the University of Birmingham, cautioned that complex attacks that succeed in the laboratory can eventually be exploited by criminals. She expressed concerns about the potential high rewards for carrying out such an attack. If left unaddressed, she believes these issues could become a real problem in the coming years.

Dr. Tom Chothia, also from the University of Birmingham, advised iPhone owners to check if they have a Visa card set up for transit payments and, if so, recommended disabling it. He emphasized that Apple Pay users do not need to be in danger, but until Apple or Visa resolve the issue, there is a potential risk. You can Turn off Your iPhone Lock Screen Feature to Boost Security of your device.

Secure Systems

The researchers conducted tests on Samsung Pay and determined that it could not be exploited in the same manner. Additionally, they tested Mastercard and found that its security measures effectively prevented the attack. Therefore this issues was only with Apple Pay Visa Contactless Hack by cyber criminals.

Dr. Ioana Boureanu, a co-author from the University of Surrey, highlighted that these findings demonstrate the possibility of developing systems that are both secure and user-friendly.

The research findings are scheduled to be presented at the 2023/2024 IEEE Symposium on Security and Privacy.

Trending Guides

- Advertisement -

Related Stories