Apple Pay With Visa Hacked To Make Payments Via Unlocked iPhones (threatpost.com) 48
Researchers have demonstrated that someone could use a stolen, unlocked iPhone to pay for thousands of dollars of goods or services, no authentication needed. Threatpost reports: An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning. The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and Surrey, backed by the U.K.'s National Cyber Security Centre (NCSC). But Visa, for its part, said that Apple Pay payments are secure and that any real-world attacks would be difficult to carry out.
The team explained that fraudulent tap-and-go payments at card readers can be made using any iPhone that has a Visa card set up in "Express Transit" mode. Express Transit allows commuters around the world, including those riding the New York City subway, the Chicago El and the London Underground, to tap their phones on a reader to pay their fares without unlocking their devices. "An attacker only needs a stolen, powered-on iPhone," according to a writeup (PDF) published this week. "The transactions could also be relayed from an iPhone inside someone's bag, without their knowledge. The attacker needs no assistance from the merchant."
This attack is made possible by a combination of flaws in both Apple Pay and Visa's systems, the academic team noted. "The details of this vulnerability have been disclosed to Apple (Oct 2020) and to Visa (May 2021)," according to the writeup. "Both parties acknowledge the seriousness of the vulnerability, but have not come to an agreement on which party should implement a fix." "Variations of contactless-fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world," Visa said in a statement to the BBC, adding that its fraud-detection systems would flag any suspicious transactions. Apple meanwhile shifted the responsibility to Visa and told the outlet, "We take any threat to users' security very seriously. This is a concern with a Visa system, but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero-liability policy." The researchers say users can protect themselves by not using Visa as a transport card in Apple Pay, and if they do, by remotely wiping the device if lost or stolen. The bug does not affect other types of payment cards or payment systems.
The team explained that fraudulent tap-and-go payments at card readers can be made using any iPhone that has a Visa card set up in "Express Transit" mode. Express Transit allows commuters around the world, including those riding the New York City subway, the Chicago El and the London Underground, to tap their phones on a reader to pay their fares without unlocking their devices. "An attacker only needs a stolen, powered-on iPhone," according to a writeup (PDF) published this week. "The transactions could also be relayed from an iPhone inside someone's bag, without their knowledge. The attacker needs no assistance from the merchant."
This attack is made possible by a combination of flaws in both Apple Pay and Visa's systems, the academic team noted. "The details of this vulnerability have been disclosed to Apple (Oct 2020) and to Visa (May 2021)," according to the writeup. "Both parties acknowledge the seriousness of the vulnerability, but have not come to an agreement on which party should implement a fix." "Variations of contactless-fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world," Visa said in a statement to the BBC, adding that its fraud-detection systems would flag any suspicious transactions. Apple meanwhile shifted the responsibility to Visa and told the outlet, "We take any threat to users' security very seriously. This is a concern with a Visa system, but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero-liability policy." The researchers say users can protect themselves by not using Visa as a transport card in Apple Pay, and if they do, by remotely wiping the device if lost or stolen. The bug does not affect other types of payment cards or payment systems.
Title is wrong (Score:4, Informative)
Apple states it can't be their fault.... (Score:3)
Visa tried to assure the public it isn't a huge issue by assuring any issue would be caught by their fraud detection systems. Apple just throws Visa under a bus....
Re: (Score:2)
"Both parties acknowledge the seriousness of the vulnerability, but have not come to an agreement on which party should implement a fix."
The fix can be easily implemented by the consumer: don't use Apple Pay.
Re: Apple states it can't be their fault.... (Score:2)
If you shop at Walmart, the fix is already implemented. They don't accept Apple Pay. (Because they are whiny babies.)
Re: (Score:2)
Or QR codes [slashgear.com] work on more phones than NFC. [apple.com]
Re: (Score:2)
It looks like the issue on Apple's end is that the phone doesn't validate the thing requesting payment properly. If it says it's transit then it pays blindly. On the Visa end it looks like they have not got much control over anyone creating a fake transit payment account to receive the money.
They both really need to focus on security, especially Apple to whom this kind of thing keeps happening.
Re:Apple states it can't be their fault.... (Score:5, Informative)
Well, the researchers tried the exact same thing with MasterCard cards, and it didn't work.
So the vulnerability may be on both Apple and Visa's systems, but Visa isn't do something MasterCard is. There may be very little Apple can do to fix it if the key problem is on Visa's side.
Re: (Score:2)
"This attack is made possible by a combination of flaws in both Apple Pay and Visa's systems, the academic team noted."
It's not a one flaw error, but a combination that either Apple or Visa could step forward and fix but neither seems to want to alter their own code.
Re: (Score:2)
The researchers are certainly contending that it's a joint flaw, but Apple is saying, "This is a concern with a Visa system", to which Visa responded by denying that the bus we just saw them get pushed under even exists.
When one of the companies blames the other and the other responds by denying that the problem even exists, I'm very inclined to think that there's only one party to blame there.
Re: (Score:2)
""Variations of contactless-fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world," Visa said in a statement to the BBC, adding that its fraud-detection systems would flag any suspicious transactions."
The only one denying the problem exists is Apple, and they are denying it's a problem with their system and the issue
Devil in the details. (Score:2)
This:
The bug does not affect other types of payment cards or payment systems.
and this:
"Variations of contactless-fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world"
So can we conclude those other cards and systems aren't contactless?
Re: (Score:2)
Told you so (Score:1)
I posted a comment months ago saying it was stupid to put your payment information on phones. I had a bunch of replies saying there was no way that anyone could get your payment info or use your phone somehow to buy stuff with your money. The whole paying with your phone thing still smells like a really bad idea.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Can you explain the difference, precisely?
Here in Canada, Debit card purchases are far and away the most prevalent payment mechanism, having almost entirely subsumed cash transactions, and I get the impression that the term means something different in the USA.
Re: (Score:2)
This is also why it's vastly safer to use a credit card than a debit card in the US - debit cards do _not_ have the same protections
Can you explain the difference, precisely?
Here in Canada, Debit card purchases are far and away the most prevalent payment mechanism, having almost entirely subsumed cash transactions, and I get the impression that the term means something different in the USA.
Yes... I was born in Australia and I found this terminology confusing, also. (Love Canada btw, can't wait to come back for a visit someday). At least as far as current US law is concerned, a credit card is a payment method issued by a lending bank and connected solely to accessing a line of credit. A "debit card" is - at least TODAY - a card that is connected solely to accessing the funds in a deposit account, and that uses one of the major credit card processing networks to transmit its transactions. So it
Re: (Score:2)
Hmm... here in Canada, a person's bank card, or atm card *IS* their debit card.
Every financial institution I know of offers fraud protection on debit purchases, and many offer it as standard on their accounts. Some banks charge for the service, but the fee is nominal, and in many cases it can be waived entirely.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Okay, that's what it is here too.
But it's very unusual for financial institutions to not offer any fraud protection on debit cards. In my experience, they are as safe and secure as credit cards. Often moreso, as it is not possible to use a debit card except for in-person transactions, and which requires the entry of a PIN.
Re: (Score:2)
Re: (Score:2)
Re: Told you so (Score:2)
The concept is solid, only tokens are exchanged, not actual account numbers, which makes it infinitely more secure than a regular credit card. The problem is that apple likes to act like security is somebody else's problem and never theirs. If you recall antenna gate, where they said apple really has a flawless phone and you're just holding it wrong. That's pretty much how they treat security.
Re: (Score:1)
Right, because "antenna gate" means no commitment to security. Deep thinking there.
Re: Told you so (Score:2)
No, that's not what I said
Re: Told you so (Score:1)
They have to have your phone.
If you have your "payment system" in your wallet, it too is vulnerable, if someone has your wallet.
Re: (Score:1)
Can't have money, because if someone takes it they can buy things with your money.
Re: (Score:3)
I have two Visa cards and neither has the transit express pay tied to them -- I never turned it on, and its not the default.
There's a zillion ways to experience credit card fraud. Of all them Apple pay seems like one of the least vulnerable. No numbers exchanged, only tokens, and no opportunity for skimming or cloning. I'm honestly more worried about my dentist office's credit practices than Apple Pay.
As a traveler, it was awesome in the Netherlands. I was able to use Apple Pay for literally everything -
Re: (Score:1)
So you have confirmation bias then.
Pay cash like a free person (Score:3)
Re: (Score:3)
If you carry cash and it is stolen, it is unrealistic to expect to get it back.
Reputable payment processors can reverse any unauthorized charges.
Let's see cash do that.
Re: (Score:1)
They can only steal the cash on your person and you get to keep your privacy to boot.
That depends. Did the thief say "Give me your money!" or "Give me your wallet!" If he steals your wallet, you will lose some of your private information, ie drivers license info, home address, and possibly medical card info.
Another angle here (Score:2)
Apple charges the banks a percentage of the transaction value for anything via Apple Pay (5 basis points or something). The banks obviously hate giving them this cut of the transaction.
The way that Apple has justified it is that all of the Apple Pay transactions are "biometrically verified" via touch or Face ID - so fraud shouldn't be possible. And it is at least much less likely. So it is "pay us and then you are much less likely to have these be fraudulent than with a card - which more than pays for our c
Re: (Score:1)
'So it is "pay us and then you are much less likely to have these be fraudulent than with a card - which more than pays for our cut."'
Citation please. When has Apple ever said that to a bank?
Banks don't care about that cut, it is the vendor's problem. Apple sells its service to the customer, the customer demands it of the vendor, the vendor accepts the service and pays the fee. The bank could not care less; they are losing a couple percent on a few percent, and even then only on sales they would otherwis
Inaccuracies (Score:3)
The first paragraph says, ” someone could use a stolen, unlocked iPhone”.
The second paragraph says, ” An attacker who steals a locked iPhone”.
So which is it? Locked or unlocked?
A much more interesting question to ask would be why is Visa’s integration with ApplePay vulnerable when, say, MasterCard’s is not?
And if it is accurate to say that this vulnerability only applies to Visa, isn’t it a bit click-baitey for ThreatPost to title this with “ApplePay” ? Wouldn’t it be more truthful and accurate to say something like, “Visa’s implementation of ApplePay is vulnerable”? I note that others have implied that Apple don’t care about security I’m not in a position to comment on that, but it seems a bit much if only the Visa implementation of ApplePay is vulnerable to describe this as an Apple problem.
Lastly, with reference to the claim of the opening paragraph, concerning the vulnerability being used to pay for “thousands of dollars of goods or services” most of the shops and retail outlets where I see options for contactless payment - not just ApplePay but all contactless - also have a sign that says something like, “Maximum contactless transaction value $50”. Which rather feels like the author believes that after they put the word “theoretically” in their article, they can claim pretty much whatever they like, no matter how preposterous.
Re: (Score:2)
A much more interesting question to ask would be why is Visaâ(TM)s integration with ApplePay vulnerable when, say, MasterCardâ(TM)s is not?
This. And also, why are Apple and Visa both going to the wall on this and pointing fingers at each other? It seems to imply that either the fix is really technically expensive (which seems unlikely given the resources both sides have to throw at this) or that implementing a fix will be seen as acknowledging responsibility for the vuln, and hence some kind of expensive liability. Whatever the case, there is pretty clearly something political or otherwise non-technical under the covers of this dispute.
Re: (Score:3)
Locked. Apple has a feature where you can pay for public transport without unlocking the phone. It's a usability thing. Since they got rid of the fingerprint sensor you would have to take off your mask, raise the phone up to your face to unlock it, put your mask back on and wave the phone at the payment terminal.
Maybe it's different in the US but in the UK the maximum transaction value limits on contactless payments with phones have largely gone now. One supermarket (Waitrose) had a sign saying max payment
Re: (Score:2)
The contactless payment limit for a physical bank card is UKP 45 in the UK, but limits with an authorised phone app (phone unlocked) may be larger (or unlimited).
The niggle is the contactless limit for a locked phone. Arguably it shouldn't be possible to pay at all, or the limit should be the same as a physical card.
Google Pay says "You can make secure contactless purchases above the UKP 45 limit by just unlocking your phone", while Apple says "You may not be able to use Apple Pay for purchases over GB
Re: (Score:2)
Perhaps a better way for Apple to have configured ApplePay would be to make the ability to pay with a locked phone [or not] a user-selectable option, within the application. So if you're someone who uses the subway all the time and likes to walk through the gates with your phone in your pocket, you can.
Obviously, it would be even better if you could actually select which "transaction terminals" (sorry, I don't know the correct term for a contactless "access point") you wan