Apple Pay, the technology of contactless payments for iPhone and Apple devices, is one of the most popular mobile payment services in the world.In 2020 it was activated by over 65 million people (data: statesman) and grew up a lot on the push of Covid's pandemic.Easy to activate and use, it allows you to pay with your smartphone in shops, restaurants and online without using cash or cards by associating the main credit and debit cards (Visa, Mastercard, American Express ...).
Always considered a very safe method to pay contactless, now doubts about Apple Pay's security after a British research that has discovered vulnerabilities of the service that can expose the user to the risk of fraud.
Apple Pay at risk of fraud: research
The experts of the School of Computer Science of the University of Birmingham and the Department of Computer Science of the University of Surrey have discovered a bug in the Apple and Visa systems through which hackers could be able to bypass the iPhone lock screen and make contactless paymentsunauthorized with Apple Pay.
Scholars have discovered that vulnerability when Visa cards are set in Express Transit mode, an Apple Pay functionality (not available in Italy) that allows tap-and-go payment to the turnstiles without the need to authenticate with Faceid or Passcode.The functionality has been designed to allow commuters and those who take public transport to quickly pay the trip to the barriers in the metro stations.
How the contactless theft is happening
Experts tried to make a contactless payment of 1000 £ with Visa via Apple Pay by an iPhone blocked and without paying the payment, and they succeeded.As BBC reports, the attack works like this: a small radio device is easily available on the market near the iPhone that pretends to be a turn to validate tickets.Meanwhile, an Android phone that performs an application developed by researchers is used to transmit signals from the iPhone to a contactless payment terminal.Since iPhone "thinks" of paying to the turnstile, it does not need to be unlocked.In the meantime, the communications of the iPhone with the payment terminal are modified to deceive it to think of having been unlocked and the payment has been authorized, allowing to make highly value payments without inserting PIN or Faceid.
The problem occurs only using Express Transit with Visa: the researchers tried with Mastercard but the security features prevented the attack.
The researchers said that the Android smartphone and the payment terminal used for the scam must not necessarily be close to the victim's iPhone to work."It can also be on another continent, as long as there is an Internet connection" explains to BBC La Dott.Ssa Ioana Boureanu of the University of Surrey, of the Research Team.
The expert authors of the study said they had communicated the defect in the Apple service in October 2020 and to Visa in May 2021.However, the two companies would not have been able to collaborate on a solution since, the researchers explain, "none of the two is willing to accept their responsibility and implement a solution, leaving users vulnerable permanently".
Apple Pay is sure
Visa replied that payments are safe and that attacks of this type outside "from the workshops" are impractical.In fact, researchers have shown the feasibility of the attack only in the laboratory and there is no evidence that criminals are currently taking advantage of vulnerabilities to frowned up Apple Pay users.
An expert in Pen Test Partners Security, Ken Munro, not involved in British research and asked by BBC said that this research is truly innovative and that the problem must be solved quickly.It is, it is a method not so much different from the contactless scam that takes place through fraudulent use of the POS by bringing the device closer to the bags and pockets of the pants where the wallets with contactless cards inside are kept.
The co-author of the research, Dr. Tom Chathia, of the School of Computer Science of the University of Birmingham, said: "iPhone owners should check if they have a visa card configured with Express Transit and, in this case, should disable it.Not necessarily the Apple Pays are in danger, but until Apple or Visa they solve the bug, they are ".
The research will be presented at the 43rd IEEE Symposium on Security and Privacy in May 2022,