According to new research, vulnerabilities in Apple Pay and Visa could enable hackers to bypass an iPhone’s Apple Pay lock screen and perform contactless payments.
The researchers from the University of Birmingham and the University of Surrey discovered the vulnerability occurs when Visa cards are set up in ‘Express Transit mode’ in an iPhone’s wallet.
Transit mode is a feature on many smartphones that enables commuters to make a swift contactless mobile payment at, for example, an underground station turnstile without fingerprint authentication.
“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said researcher Andreea Radu from the University of Birmingham.
The weakness lies in the Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay, the study, to be presented at the 2022 IEEE Symposium on Security and Privacy, indicated.
Using simple radio equipment, the team identified a unique code broadcast by the transit gates or turnstiles. This code, which the researchers nicknamed the ‘magic bytes’ will unlock Apple Pay.
The team found they could then use this code to interfere with the signals between the iPhone and a shop card reader. By broadcasting the magic bytes and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader.
At the same time, the researchers’ method persuades the shop reader that the iPhone had successfully completed its user authorization, so payments of any amount can be taken without the iPhone’s user’s knowledge.
The researchers found their approach could also be used to bypass the contactless limit allowing transactions of any amount to be performed.