Security glitches between Visa and Apple Pay would open a door for hackers to pay contactless on iPhone


A security threat currently available in the “Express Transport” service of Apple Pay would permit hackers to facilitate illegal payments on locked iPhones.

The glitch is only available between Apple Pay & Visa Card and thus would permit payments to be done without max summation limit.

Illegal Payments are made without unlocking the iPhone

As we know, Payment done via Apple Pay would require a confirmation, whether it is through Touch ID, Face Id or even an access code sent on your smartphone. However, to avoid traffic on Public transport networks, the Cupertino firm introduced a component called “Express Transport” that would allow you to pay for your journey without the need to unlock your smartphone or confirm the payment process. Specialists from Surrey & Birmingham universities investigated the component and discovered security glitches when it was used with Visa Card

To know whether the Payment is coming from a Public transport service, a sequence of bytes is sent to your iPhone, facilitating the unlock of its screen. This technique allowed the specialists from the English universities specified above to carry out a “man-in-the-middle” type attack, specifically “replay and relay”.This technique works by sending the sequential bytes to the smartphone so that it has connected with the EMV reader of a public transport service. However, for that to be possible, some settings must be validated on your iPhone. For example, offline data Authentication (ODA) permits you to confirm the payment process as legal without needing your phone to be online. It is particularly beneficial to public transport systems where it helps various travellers to pay and pass through gates without waiting for the terminals to be linked

This technique works for payments below the recognized limit. However, to make payments above the limit, you need to change the additional parameter to allow the EMV card reader to have faith that the user has allowed the transaction to be possible. In this manner, the specialists managed to transfer £1,000 from a locked iPhone during the payment process.

A security threat currently accessible

The specialists validated the attack when Mastercard is used with Apple Pay, or a Visa card is used with Samsung Pay. There was no criminal case seen, and the only threat comes when visa cards and Apple are applied. They reached Apple last year in October and Visa in May this year. It has not been touched because the two firms have not determined whose mistake is and who should take the next step.

Currently, the specialists advise not to use a Visa card in the “Express transport” situation. And further warns the users not to lose their smartphones as they will be much vulnerable to attacks, and if so, it is better to activate the lost mode.