Cybersecurity researchers in the UK claim that Apple Pay with Visa can be remotely hacked to make fraudulent payments. With the rise of contactless payment methods over the past few years, mobile payment technologies, such as Apple Pay, Google Pay, and Samsung Pay are gaining popularity around the world. As for Apple Pay, it is one of the most convenient ways to pay for goods and services at retail stores, gas stations, and shopping malls.
Apple Pay uses the EMV Payment Tokenization Specification technology which enables users to pay by simply bringing the device close to the payment terminal without having to swipe a card, enter a PIN or sign in to an account. It also enables online payment on compatible apps and websites. Apple Pay was one of the first out of the gate with its NFC payment technology in 2014, with Google and Samsung following later with their own respective contactless payment platforms. However, even though Apple Pay is available on both iPhone and Apple Watch, it is reportedly being used by only a small percentage of iPhone owners.
According to the BBC, researchers from the University of Birmingham and the University of Surrey have released a proof-of-concept video that claims to show how the Apple Pay mechanism can be hacked remotely to make payments with Visa using locked iPhones. Per the researchers, the vulnerability takes advantage of an Apple Pay feature called 'Express Transit' that helps users make quick payments at ticket barriers. In the video, the researchers seemingly made a contactless payment of £1,000 without ever unlocking the iPhone.
Visa Says The Hack Is "Impractical"
Both Apple and Visa have acknowledged the vulnerability, but while Apple said that the matter relates to Visa's payment system, Visa claimed that its technology is secure and such attacks are "impractical" in the real world. In a communique to the BBC, Visa said: "Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence." Visa also claimed that similar schemes have been studied by researchers for many years, but are too impractical to be deployed in the real world. The researchers seemingly agreed with that notion, saying stolen iPhones with Apple Pay enabled are the most at threat from such attacks.
The hack reportedly uses "a small, commercially available piece of radio equipment" that acts as a ticket barrier when placed near an iPhone. It also requires an Android phone running a custom app, developed as proof-of-concept by the researchers themselves. The app acts as the go-between for the iPhone and a payment terminal, enabling the hacker to charge the victim's Visa card without any authorization. Meanwhile, the radio equipment tricks the iPhone into believing it is dealing with a ticket barrier and hence, doesn't need to be unlocked. The two-pronged strategy can, in theory, help criminals withdraw large sums of money from the Apple Pay user's account without any PIN or biometric authentication.
Source: BBC