Apple Pay and Visa flaw leaves iPhones vulnerable to hackers

Vulnerabilities in Apple Pay and Visa could enable hackers to bypass an iPhone’s Apple Pay lock screen and make unauthorised contactless payments, according to new research.

Experts at the University of Birmingham and the University of Surrey found that hackers could also change the contactless limit, meaning transactions of any amount could be carried out.

The researchers discovered that the vulnerability occurs when Visa cards are set up in Express Transit mode, which is used by many commuters at train and underground stations.

The weakness lies in the Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay.

Using simple radio equipment, the team identified a unique code broadcast by the transit gates, or turnstiles. This code, which the researchers nicknamed the ‘magic bytes’ will unlock Apple Pay.

The team found they were then able to use this code to interfere with the signals going between the iPhone and a shop card reader. By broadcasting the magic bytes and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader.

At the same time, the researchers’ method persuades the shop reader that the iPhone had successfully completed its user authorisation, so payments of any amount can be taken without the iPhone’s user’s knowledge.

“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said Dr Andreea Radu, who led the research at the School of Computer Science, University of Birmingham. “Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”

A spokesperson from Apple said: "We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy."

A spokesperson from Visa said: "Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."

    Share Story:

Recent Stories


New Business Frontiers
FStech’s Mark Evans discusses the future of financial services with Liu Jianning of Huawei, covering the limitations that current thinking can impose, how financial institutions can embrace technology to be both agile and resilient, and making space for the organisation to focus on the job of creating innovative business models and on delivering business value for their customers.

The Future of Intelligent Finance
FStech Group Editor Mark Evans sits down with Jason Cao, President of Global Financial Services Business Unit, Enterprise BG at Huawei ahead of its Intelligent Finance Summit which was held on 3rd and 4th of June in Shanghai. This Q&A delves into key trends in digital transformation of the financial services industry as well as a look at how data, robotic infrastructure, intelligent storage and innovative technologies are shaping the future for FSIs.

Cracking down on fraud
In this webinar a panel of expert speakers explored the ways in which high-volume PSPs and FinTechs are preventing fraud while providing a seamless customer experience.