Researchers expose security flaw that allows unauthorised Visa payments to be made on locked iPhones

Researchers have exposed a security flaw that enables large, unauthorised contactless payments to be made via Visa on locked iPhones, the BBC reports. The flaw exploits the ‘Express Transit’ mode in the iPhone’s wallet, a feature that enables iPhone owners to make contactless payments quickly without unlocking their phone, handy for tapping in at underground/metro stations that support contactless payments on the ticket barrier.

Researchers from the Computer Science departments of Birmingham and Surrey Universities set up a demonstration in which they took money only from their own accounts. The BBC report explains in detail how the hack works, with the omission of some crucial details, as follows:

A small commercially available piece of radio equipment is placed near the iPhone, which tricks it into believing it is dealing with a ticket barrier. At the same time, an Android phone running an application developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal that the criminals control. These do not need to be in close proximity of the iPhone being hacked.

“[They] can be on another continent from the iPhone as long as theres an internet connection” Dr Ioana Boureanu of the University of Surrey told the BBC.

Since the iPhone thinks it is paying a ticket barrier, it doesnt need to be unlocked. At the same time, the iPhones communications with the payment terminal are modified to fool it into thinking the device has been unlocked and a payment authorised, thus  allowing high value transactions to be made without entering a PIN, fingerprint or using Face ID.

In a demonstration video shown to the BBC, researchers were able to make a Visa payment of £1,000 without unlocking the phone or authorising the payment. There’s no evidence that any such attack has taken place “in the wild”.

The researchers told the BBC they first approached Apple and Visa with their concerns almost a year ago and that while there have been “useful” conversations, the problem has not yet been fixed.

Visa told the BBC that this type of attack was “impractical”. It said it took all security threats seriously, but “Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence.

“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world”.

For its part, Apple said: “We take any threat to users security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visas zero liability policy.”