Apple Pay and Visa flaw leaves iPhones vulnerable to hackers

Vulnerabilities in Apple Pay and Visa could enable hackers to bypass an iPhone’s Apple Pay lock screen and make unauthorised contactless payments, according to new research.

Experts at the University of Birmingham and the University of Surrey found that hackers could also change the contactless limit, meaning transactions of any amount could be carried out.

The researchers discovered that the vulnerability occurs when Visa cards are set up in Express Transit mode, which is used by many commuters at train and underground stations.

The weakness lies in the Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay.

Using simple radio equipment, the team identified a unique code broadcast by the transit gates, or turnstiles. This code, which the researchers nicknamed the ‘magic bytes’ will unlock Apple Pay.

The team found they were then able to use this code to interfere with the signals going between the iPhone and a shop card reader. By broadcasting the magic bytes and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader.

At the same time, the researchers’ method persuades the shop reader that the iPhone had successfully completed its user authorisation, so payments of any amount can be taken without the iPhone’s user’s knowledge.

“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said Dr Andreea Radu, who led the research at the School of Computer Science, University of Birmingham. “Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”

A spokesperson from Apple said: "We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy."

A spokesperson from Visa said: "Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."

    Share Story:

Recent Stories


Data trust in the AI era: Building customer confidence through responsible banking
In the second episode of FStech’s three-part video podcast series sponsored by HCLTech, Sudip Lahiri, Executive Vice President & Head of Financial Services for Europe & UKI at HCLTech examines the critical relationship between data trust, transparency, and responsible AI implementation in financial services.

Banking's GenAI evolution: Beyond the hype, building the future
In the first episode of a three-part video podcast series sponsored by HCLTech, Sudip Lahiri, Executive Vice President & Head of Financial Services for Europe & UKI at HCLTech explores how financial institutions can navigate the transformative potential of Generative AI while building lasting foundations for innovation.

Beyond compliance: Transforming document management into a strategic advantage for financial institutions
In this exclusive fireside chat, John Rockliffe, Pre-Sales Manager at d.velop, discusses the findings of Adapting to a Digital-Native World: Financial Services Document Management Beyond 2025 and explores how FSIs can turn document workflows into a competitive advantage.

Sanctions evasion in an era of conflict: Optimising KYC and monitoring to tackle crime
The ongoing war in Ukraine and resulting sanctions on Russia, and the continuing geopolitical tensions have resulted in an unprecedented increase in parties added to sanctions lists.