A team of researchers has found a method to make transactions on the Apple Pay system through Visa cardholders unbeknownst to any potential victims.
Using a piece of radio equipment that is available to anyone (which remains undisclosed for safety and legal purposes), the researchers were able to trick an iPhone’s Apple Pay system into thinking the equipment was a ticket barrier. As a result, they were able to withdraw £1,000 from the device, without any sort of permission or proof of identity.
The research was conducted in a controlled environment and the scientists only used the exploit on their own devices and bank accounts. While only £1,000 was taken from the account in question, the researchers believe the maximum amount that can be taken could be far more than this.
As of right now, this trick can only be performed on iPhones with Visa’s “express transit” setting enabled. This feature allows commuters to quickly make contactless payments at ticket barriers, for example, without having to enter a PIN number or unlock the iPhone. As such, this is so far an issue that only affects Visa cardholders. Experts have called for the feature’s removal so it can be more thoroughly tested, due to the potential risks posed by it.
The same test was conducted on on Samsung device, using its own Samsung Pay system, but was unsuccessful. They also tested the method using a Mastercard, but Mastercard’s security measures blocked the exploit.
Because the equipment that was used is commercially available, the researchers believe that criminals discovering and using this exploit is a possible outcome that should not be ignored. If left unaddressed, the researchers believe this potential issue could become uncontrollable.
Despite this, Visa spokespeople claim that carrying out an attack of this ilk would be “impractical” outside of a lab. It would be difficult to carry out discreetly in public, given the equipment involved and the process of holding it near a victim’s iPhone. This being said, criminals would have no problem hacking into stolen iPhones, because the device does not need to be unlocked for the exploit to work.
Furthermore, the researchers have also said that the equipment does not need to be particularly close to the iPhone to work correctly.
Meanwhile, Apple have stated that the issue is “a concern with a Visa system”.
Even though it is theoretically possible for criminals to take advantage of this hack, there is no evidence to suggest they have begun using it yet. However, if you do use Visa’s express transit system, you should remain vigilant in large crowds regardless.
Visa also say that anyone who is targeted in this fashion is covered by their zero liability policy. This protects all of their cardholders against losing their money as a result of an unauthorised transaction. This likewise applies to anyone who has had their Visa stolen or has simply misplaced it.