Posted on 10/01/2021 7:46:34 AM PDT by Red Badger
Vulnerabilities in Apple Pay and Visa could enable hackers to bypass an iPhone's Apple Pay lock screen and perform contactless payments, according to research by the University of Birmingham and University of Surrey.
Experts in the University of Birmingham's School of Computer Science and the University of Surrey's Department of Computer Science found their approach could also be used to bypass the contactless limit allowing transactions of any amount to be performed. Their results will be presented in a paper at the 2022 IEEE Symposium on Security and Privacy.
The researchers discovered the vulnerability occurs when Visa cards are set up in 'Express Transit mode' in an iPhone's wallet. Transit mode is a feature on many smartphones that enables commuters to make a swift contactless mobile payment at, for example, an underground station turnstile, without fingerprint authentication.
The weakness lies in the Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay.
Using simple radio equipment, the team identified a unique code broadcast by the transit gates, or turnstiles. This code, which the researchers nicknamed the 'magic bytes' will unlock Apple Pay. The team found they were then able to use this code to interfere with the signals going between the iPhone and a shop card reader. By broadcasting the magic bytes and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader.
VIDEO AT LINK...................
At the same time, the researchers' method persuades the shop reader that the iPhone had successfully completed its user authorisation, so payments of any amount can be taken without the iPhone's user's knowledge.
Dr. Andreea Radu, in the School of Computer Science at the University of Birmingham, led the research. She said: "Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users.
"Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely."
Co-author Dr. Ioana Boureanu, from the University of Surrey's Centre for Cyber Security, added: "We show how a usability feature in contactless mobile payments can lower security. But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure. Apple Pay users should not have to trade-off security for usability, but —at the moment— some of them do."
VIDEO2 AT LINK.....................
Co-author Dr. Tom Chothia, also in the School of Computer Science at the University of Birmingham, said: "iPhone owners should check if they have a Visa card set up for transit payments, and if so they should disable it. There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are."
More details of a £1000 payment being taken from a locked iPhone are available at practical_emv.gitlab.io
Explore further
Driver's license on your iPhone? These are the states where you can add ID to your Apple device Provided by University of Birmingham
Pingy!.....................
Tech sure has made life easy.
electronic gadgets open to security issues
Fear fear fear.... but let me guess, there is some cool solution they have in store for us?
Why yes! iPhone 14!........................
Yes, for crooks.....................
Not surprising, that’s why I never use Apple.
I have never used Apple Pay. Never sounded safe to me.
bookmark
If you knew the Rube Goldberg mess behind a credit card transaction you'd never use one of those again.
;)
I think it was at a recent visit to Walmart that terminals advised E-payments only. A nationwide coin shortage was the reason.
Another technique/excuse to end cash transactions ?....another step closer to a cashless society.
Use Cash, no worries
If you want on or off the Apple/Mac/iOS Ping List, Freepmail me.
“Upgrades security features” is the phrase I see most when I’m prompted to update an app or OS.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.