Apple Pay bug could allow attackers to bypass lock screen, make payments

AppleInsider

A team of researchers in the U.K. has discovered security issues related to Visa cards and Apple Pay that could result in attackers bypassing the lock screen and making fraudulent payments.

Credit: Apple

According to the research, the flaw occurs when Visa cards are set up in Apple's Express Transit mode on an iPhone. The flaw could allow attackers to bypass the iPhone Lock Screen and make contactless payments without the passcode.

Apple's Express Transit mode allows users to quickly pay for transportation rides using a credit, debit, or transit card without unlocking their device.

The researchers say that the vulnerability only affects Visa cards stored in Wallet. It's caused by a unique code broadcast by transit gates or transit turnstiles that signal an iPhone to unlock Apple Pay.

By using common radio equipment, the researchers were able to perform an attack that tricked an iPhone into believing it was at a transit gate. The proof-of-concept attack involved an iPhone with Express Transit enabled making a fraudulent payment to a smart payment reader. A similar attack could occur in the wild by broadcasting the unique code and modifying a set of variables.

However, researchers point out that the attack doesn't appear practical on a wide scale. Even if an attacker were able to pull it off, banks and financial institutions have other mechanisms that deter fraud by detecting suspicious transactions.

The flaw was discovered by researchers from the University of Birmingham and the University of Surrey in the U.K. The authors of the paper, which is set to be published at the 2022 IEEE Symposium on Security and Privacy, are Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu, and Liqun Chen.

The researchers alerted Apple to the first in October 2020 and Visa in May 2021.

In a statement to ZDNet, Visa says this type of attack is nothing new and customers have little to worry about.

"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world," the credit card company wrote. "Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."

Read on AppleInsider

chadbag

It says it only affects Visa cards set up as express transit payment.  Why does it only affect Visa and not other card types?  Is Visa the only non transit card that can be used for express transit payments or is there another reason why, for example, it doesn't affect a Mastercard in Apple Pay?

scartart

chadbag said:

It says it only affects Visa cards set up as express transit payment.  Why does it only affect Visa and not other card types?  Is Visa the only non transit card that can be used for express transit payments or is there another reason why, for example, it doesn't affect a Mastercard in Apple Pay?

I don’t know the detail but a bbc news article on the subject states:

The researchers also tested Samsung Pay, but found it could not be exploited in this way. 

They also tested Mastercard but found that the way its security works prevented the attack.

https://www.bbc.co.uk/news/technology-58719891

Skeptical

Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

ntipping

This is worrying, hopefully, they will quickly find a fix for this.

DAalseth

Skeptical said:

Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

As it only impacts Visa, I suspect this is a problem with Visa security. 

mike1

chadbag said:

It says it only affects Visa cards set up as express transit payment.  Why does it only affect Visa and not other card types?  Is Visa the only non transit card that can be used for express transit payments or is there another reason why, for example, it doesn't affect a Mastercard in Apple Pay?

Any card and be selected for express pay.

hammeroftruth

So all they were able to do is fool the device into thinking it was making a purchase for express transit. They haven’t said if the actual transaction went thru. I bet it wouldn’t. Why? Because as the article said:

However, researchers point out that the attack doesn't appear practical on a wide scale. Even if an attacker were able to pull it off, banks and financial institutions have other mechanisms that deter fraud by detecting suspicious transactions.

I think the issue has been around for some time because years ago people were complaining about transit charging them when they weren’t using it but near a turnstile that uses that feature. 

The bigger problem is people being able to add a stolen credit card to their own device and using it. This has been going on for a couple years and banks have gotten smarter about not just authorizing any charge because you are using Apple pay. 

mknelson

hammeroftruth said:

So all they were able to do is fool the device into thinking it was making a purchase for express transit. They haven’t said if the actual transaction went thru. I bet it wouldn’t. Why? Because as the article said:

However, researchers point out that the attack doesn't appear practical on a wide scale. Even if an attacker were able to pull it off, banks and financial institutions have other mechanisms that deter fraud by detecting suspicious transactions.

I think the issue has been around for some time because years ago people were complaining about transit charging them when they weren’t using it but near a turnstile that uses that feature. 

The bigger problem is people being able to add a stolen credit card to their own device and using it. This has been going on for a couple years and banks have gotten smarter about not just authorizing any charge because you are using Apple pay. 

I watched the video last night - they show the transaction in the victim phone's wallet.

Adding stolen credit cards? I don't know how the banks are in your country, but in Canada there are some 2FA type steps to add any cart to ApplePay.

ericthehalfbee

Skeptical said:

Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

It’s a Visa issue, not Apple.

ericthehalfbee

vedelppa said:

DAalseth said:

Skeptical said:

Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

As it only impacts Visa, I suspect this is a problem with Visa security. 

It's also possible that code on Apple's side fails when one has a Visa card. Even if Visa's security solutions differ from Mastercard's, the fault may be on Apple's side, too (even if this turns out to be false and it's Visa I think people here tend to assume Apple = perfect and in case if anything goes wrong, 3rd party = evil).

Do you just make stuff up without any evidence at all? 

tokyojimu

I use my Suica in Express Transit mode to pay for meals and purchases all the time. That’s the whole idea. It’s limited to small amount purchases. 

loopless

vedelppa said:

DAalseth said:

Skeptical said:

Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

As it only impacts Visa, I suspect this is a problem with Visa security. 

It's also possible that code on Apple's side fails when one has a Visa card. Even if Visa's security solutions differ from Mastercard's, the fault may be on Apple's side, too (even if this turns out to be false and it's Visa I think people here tend to assume Apple = perfect and in case if anything goes wrong, 3rd party = evil).

No seriously  - the transaction is sent to the card issuer ( in this case VISA) to approve. Nothing to do with Apple. Obviously MC has some layer that say, hmm $1000 is over a limit for express transit, and blocks it, or some other algorithm. It's about trading convenience ( no need to unlock phone) for security.

IreneW

loopless said:

vedelppa said:

DAalseth said:

Skeptical said:

Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

As it only impacts Visa, I suspect this is a problem with Visa security. 

It's also possible that code on Apple's side fails when one has a Visa card. Even if Visa's security solutions differ from Mastercard's, the fault may be on Apple's side, too (even if this turns out to be false and it's Visa I think people here tend to assume Apple = perfect and in case if anything goes wrong, 3rd party = evil).

No seriously  - the transaction is sent to the card issuer ( in this case VISA) to approve. Nothing to do with Apple. Obviously MC has some layer that say, hmm $1000 is over a limit for express transit, and blocks it, or some other algorithm. It's about trading convenience ( no need to unlock phone) for security.

You should probably read the paper with the details, before stating stuff like this. Already in the first page:
"We disclosed this attack to both Apple and Visa, and

discussed it with their security teams. Apple suggested that

the best solution was for Visa to implement additional fraud

detection checks, explicitly checking Issuer Application Data

(IAD) and the Merchant Category Code (MCC). Meanwhile,

Visa observed that the issue only applied to Apple (i.e., not

Samsung Pay), so suggested that a fix should be made to

Apple Pay. We verify Apple’s and Visa’s possible solutions

in Tamarin and show that either would limit the impact of

relaying. At the time of writing neither side has implemented

a fix, so the Apple Pay Visa vulnerability remains live."

They both (Visa _and_ Apple) put their customers at risk while arguing.. 

IreneW

ericthehalfbee said:

Skeptical said:

Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

It’s a Visa issue, not Apple.

Source? According to the report Apple or Visa could fix this. Samsung and MC already did.

gatorguy

ericthehalfbee said:

vedelppa said:

DAalseth said:

Skeptical said:

Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

As it only impacts Visa, I suspect this is a problem with Visa security. 

It's also possible that code on Apple's side fails when one has a Visa card. Even if Visa's security solutions differ from Mastercard's, the fault may be on Apple's side, too (even if this turns out to be false and it's Visa I think people here tend to assume Apple = perfect and in case if anything goes wrong, 3rd party = evil).

Do you just make stuff up without any evidence at all? 

The evidence that Apple could presumably fix this on their own is right there in the source article had you taken the time to read it Eric. 

IreneW

gatorguy said:

ericthehalfbee said:

vedelppa said:

DAalseth said:

Skeptical said:

Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

As it only impacts Visa, I suspect this is a problem with Visa security. 

It's also possible that code on Apple's side fails when one has a Visa card. Even if Visa's security solutions differ from Mastercard's, the fault may be on Apple's side, too (even if this turns out to be false and it's Visa I think people here tend to assume Apple = perfect and in case if anything goes wrong, 3rd party = evil).

Do you just make stuff up without any evidence at all? 

The evidence that Apple could presumably fix this on their own is right there in the source article had you taken the time to read it Eric. 

The research paper is an interesting read, pointing to several already known (but still open) vulnerabilities and multiple unprotected attack vectors. It also adds to the critique of Apples bounty program and the failure to take responsibility:

". Apple did not pay a bug bounty, even though

they advertise $100,000 for bypassing a lock screen, and our

attack bypasses the Apple Pay lock screen.

We have also discussed this attack with Visa, who pointed

out that this attack only affected Apple Pay, and suggested

Apple were best placed to fix the issues. Visa also stated

that back-end anti-fraud checks weregenerally applied, when

needed. So, if this attack was to raise fraud-alerts, they claim,

it would be eventually stopped. That said, we performed our

attack multiple times, on large values, from the same card,

and we were never blocked and flagged for fraud. Until either

Apple or Visa implement a fix, we recommend that iPhone

owners disable transit mode for Visa cards.”

Consider yourselves warned.