Apple Pay bug could allow attackers to bypass lock screen, make payments

Posted:
in iPhone
A team of researchers in the U.K. has discovered security issues related to Visa cards and Apple Pay that could result in attackers bypassing the lock screen and making fraudulent payments.

Credit: Apple
Credit: Apple


According to the research, the flaw occurs when Visa cards are set up in Apple's Express Transit mode on an iPhone. The flaw could allow attackers to bypass the iPhone Lock Screen and make contactless payments without the passcode.

Apple's Express Transit mode allows users to quickly pay for transportation rides using a credit, debit, or transit card without unlocking their device.

The researchers say that the vulnerability only affects Visa cards stored in Wallet. It's caused by a unique code broadcast by transit gates or transit turnstiles that signal an iPhone to unlock Apple Pay.

By using common radio equipment, the researchers were able to perform an attack that tricked an iPhone into believing it was at a transit gate. The proof-of-concept attack involved an iPhone with Express Transit enabled making a fraudulent payment to a smart payment reader. A similar attack could occur in the wild by broadcasting the unique code and modifying a set of variables.

However, researchers point out that the attack doesn't appear practical on a wide scale. Even if an attacker were able to pull it off, banks and financial institutions have other mechanisms that deter fraud by detecting suspicious transactions.

The flaw was discovered by researchers from the University of Birmingham and the University of Surrey in the U.K. The authors of the paper, which is set to be published at the 2022 IEEE Symposium on Security and Privacy, are Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu, and Liqun Chen.

The researchers alerted Apple to the first in October 2020 and Visa in May 2021.

In a statement to ZDNet, Visa says this type of attack is nothing new and customers have little to worry about.

"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world," the credit card company wrote. "Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."

Read on AppleInsider

Comments

  • Reply 1 of 17
    chadbagchadbag Posts: 2,028member
    It says it only affects Visa cards set up as express transit payment.  Why does it only affect Visa and not other card types?  Is Visa the only non transit card that can be used for express transit payments or is there another reason why, for example, it doesn't affect a Mastercard in Apple Pay?
    watto_cobra
  • Reply 2 of 17
    chadbag said:
    It says it only affects Visa cards set up as express transit payment.  Why does it only affect Visa and not other card types?  Is Visa the only non transit card that can be used for express transit payments or is there another reason why, for example, it doesn't affect a Mastercard in Apple Pay?
    I don’t know the detail but a bbc news article on the subject states:

    The researchers also tested Samsung Pay, but found it could not be exploited in this way. 

    They also tested Mastercard but found that the way its security works prevented the attack.


    https://www.bbc.co.uk/news/technology-58719891

  • Reply 3 of 17
    Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 
    williamlondon
  • Reply 4 of 17
    This is worrying, hopefully, they will quickly find a fix for this.
    williamlondonwatto_cobra
  • Reply 5 of 17
    Skeptical said:
    Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 
    As it only impacts Visa, I suspect this is a problem with Visa security. 
    DBSyncwilliamlondonericthehalfbeewatto_cobra
  • Reply 6 of 17
    mike1mike1 Posts: 3,442member
    chadbag said:
    It says it only affects Visa cards set up as express transit payment.  Why does it only affect Visa and not other card types?  Is Visa the only non transit card that can be used for express transit payments or is there another reason why, for example, it doesn't affect a Mastercard in Apple Pay?

    Any card and be selected for express pay.
    watto_cobra
  • Reply 7 of 17
    So all they were able to do is fool the device into thinking it was making a purchase for express transit. They haven’t said if the actual transaction went thru. I bet it wouldn’t. Why? Because as the article said:

    However, researchers point out that the attack doesn't appear practical on a wide scale. Even if an attacker were able to pull it off, banks and financial institutions have other mechanisms that deter fraud by detecting suspicious transactions.

    I think the issue has been around for some time because years ago people were complaining about transit charging them when they weren’t using it but near a turnstile that uses that feature. 

    The bigger problem is people being able to add a stolen credit card to their own device and using it. This has been going on for a couple years and banks have gotten smarter about not just authorizing any charge because you are using Apple pay. 
    vedelppawatto_cobra
  • Reply 8 of 17
    mknelsonmknelson Posts: 1,147member
    So all they were able to do is fool the device into thinking it was making a purchase for express transit. They haven’t said if the actual transaction went thru. I bet it wouldn’t. Why? Because as the article said:

    However, researchers point out that the attack doesn't appear practical on a wide scale. Even if an attacker were able to pull it off, banks and financial institutions have other mechanisms that deter fraud by detecting suspicious transactions.

    I think the issue has been around for some time because years ago people were complaining about transit charging them when they weren’t using it but near a turnstile that uses that feature. 

    The bigger problem is people being able to add a stolen credit card to their own device and using it. This has been going on for a couple years and banks have gotten smarter about not just authorizing any charge because you are using Apple pay. 
    I watched the video last night - they show the transaction in the victim phone's wallet.

    Adding stolen credit cards? I don't know how the banks are in your country, but in Canada there are some 2FA type steps to add any cart to ApplePay.
    watto_cobra
  • Reply 9 of 17
    Skeptical said:
    Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

    It’s a Visa issue, not Apple.
    edited October 2021 williamlondonwatto_cobra
  • Reply 10 of 17
    vedelppa said:
    DAalseth said:
    Skeptical said:
    Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 
    As it only impacts Visa, I suspect this is a problem with Visa security. 

    It's also possible that code on Apple's side fails when one has a Visa card. Even if Visa's security solutions differ from Mastercard's, the fault may be on Apple's side, too (even if this turns out to be false and it's Visa I think people here tend to assume Apple = perfect and in case if anything goes wrong, 3rd party = evil).

    Do you just make stuff up without any evidence at all? 
    williamlondonwatto_cobra
  • Reply 11 of 17
    I use my Suica in Express Transit mode to pay for meals and purchases all the time. That’s the whole idea. It’s limited to small amount purchases. 
    watto_cobra
  • Reply 12 of 17
    looplessloopless Posts: 343member
    vedelppa said:
    DAalseth said:
    Skeptical said:
    Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 
    As it only impacts Visa, I suspect this is a problem with Visa security. 

    It's also possible that code on Apple's side fails when one has a Visa card. Even if Visa's security solutions differ from Mastercard's, the fault may be on Apple's side, too (even if this turns out to be false and it's Visa I think people here tend to assume Apple = perfect and in case if anything goes wrong, 3rd party = evil).
    No seriously  - the transaction is sent to the card issuer ( in this case VISA) to approve. Nothing to do with Apple. Obviously MC has some layer that say, hmm $1000 is over a limit for express transit, and blocks it, or some other algorithm. It's about trading convenience ( no need to unlock phone) for security.
    watto_cobra
  • Reply 13 of 17
    IreneWIreneW Posts: 307member
    loopless said:
    vedelppa said:
    DAalseth said:
    Skeptical said:
    Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 
    As it only impacts Visa, I suspect this is a problem with Visa security. 

    It's also possible that code on Apple's side fails when one has a Visa card. Even if Visa's security solutions differ from Mastercard's, the fault may be on Apple's side, too (even if this turns out to be false and it's Visa I think people here tend to assume Apple = perfect and in case if anything goes wrong, 3rd party = evil).
    No seriously  - the transaction is sent to the card issuer ( in this case VISA) to approve. Nothing to do with Apple. Obviously MC has some layer that say, hmm $1000 is over a limit for express transit, and blocks it, or some other algorithm. It's about trading convenience ( no need to unlock phone) for security.
    You should probably read the paper with the details, before stating stuff like this. Already in the first page:
    "We disclosed this attack to both Apple and Visa, and
    discussed it with their security teams. Apple suggested that
    the best solution was for Visa to implement additional fraud
    detection checks, explicitly checking Issuer Application Data
    (IAD) and the Merchant Category Code (MCC). Meanwhile,
    Visa observed that the issue only applied to Apple (i.e., not
    Samsung Pay), so suggested that a fix should be made to
    Apple Pay. We verify Apple’s and Visa’s possible solutions
    in Tamarin and show that either would limit the impact of
    relaying. At the time of writing neither side has implemented
    a fix, so the Apple Pay Visa vulnerability remains live."

    They both (Visa _and_ Apple) put their customers at risk while arguing.. 
    williamlondon
  • Reply 14 of 17
    IreneWIreneW Posts: 307member
    Skeptical said:
    Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

    It’s a Visa issue, not Apple.
    Source? According to the report Apple or Visa could fix this. Samsung and MC already did.
    williamlondon
  • Reply 15 of 17
    gatorguygatorguy Posts: 24,650member
    vedelppa said:
    DAalseth said:
    Skeptical said:
    Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 
    As it only impacts Visa, I suspect this is a problem with Visa security. 

    It's also possible that code on Apple's side fails when one has a Visa card. Even if Visa's security solutions differ from Mastercard's, the fault may be on Apple's side, too (even if this turns out to be false and it's Visa I think people here tend to assume Apple = perfect and in case if anything goes wrong, 3rd party = evil).

    Do you just make stuff up without any evidence at all? 
    The evidence that Apple could presumably fix this on their own is right there in the source article had you taken the time to read it Eric. 
    edited October 2021 IreneWcrowleymuthuk_vanalingam
  • Reply 16 of 17
    IreneWIreneW Posts: 307member
    gatorguy said:
    vedelppa said:
    DAalseth said:
    Skeptical said:
    Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 
    As it only impacts Visa, I suspect this is a problem with Visa security. 

    It's also possible that code on Apple's side fails when one has a Visa card. Even if Visa's security solutions differ from Mastercard's, the fault may be on Apple's side, too (even if this turns out to be false and it's Visa I think people here tend to assume Apple = perfect and in case if anything goes wrong, 3rd party = evil).

    Do you just make stuff up without any evidence at all? 
    The evidence that Apple could presumably fix this on their own is right there in the source article had you taken the time to read it Eric. 
    The research paper is an interesting read, pointing to several already known (but still open) vulnerabilities and multiple unprotected attack vectors. It also adds to the critique of Apples bounty program and the failure to take responsibility:

    ". Apple did not pay a bug bounty, even though
    they advertise $100,000 for bypassing a lock screen, and our
    attack bypasses the Apple Pay lock screen.
    We have also discussed this attack with Visa, who pointed
    out that this attack only affected Apple Pay, and suggested
    Apple were best placed to fix the issues. Visa also stated
    that back-end anti-fraud checks weregenerally applied, when
    needed. So, if this attack was to raise fraud-alerts, they claim,
    it would be eventually stopped. That said, we performed our
    attack multiple times, on large values, from the same card,
    and we were never blocked and flagged for fraud. Until either
    Apple or Visa implement a fix, we recommend that iPhone
    owners disable transit mode for Visa cards.”

    Consider yourselves warned.
    muthuk_vanalingamwilliamlondon
Sign In or Register to comment.