Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple Pay bug could allow attackers to bypass lock screen, make payments

A team of researchers in the U.K. has discovered security issues related to Visa cards and Apple Pay that could result in attackers bypassing the lock screen and making fraudulent payments.

According to the research, the flaw occurs when Visa cards are set up in Apple's Express Transit mode on an iPhone. The flaw could allow attackers to bypass the iPhone Lock Screen and make contactless payments without the passcode.

Apple's Express Transit mode allows users to quickly pay for transportation rides using a credit, debit, or transit card without unlocking their device.

The researchers say that the vulnerability only affects Visa cards stored in Wallet. It's caused by a unique code broadcast by transit gates or transit turnstiles that signal an iPhone to unlock Apple Pay.

By using common radio equipment, the researchers were able to perform an attack that tricked an iPhone into believing it was at a transit gate. The proof-of-concept attack involved an iPhone with Express Transit enabled making a fraudulent payment to a smart payment reader. A similar attack could occur in the wild by broadcasting the unique code and modifying a set of variables.

However, researchers point out that the attack doesn't appear practical on a wide scale. Even if an attacker were able to pull it off, banks and financial institutions have other mechanisms that deter fraud by detecting suspicious transactions.

The flaw was discovered by researchers from the University of Birmingham and the University of Surrey in the U.K. The authors of the paper, which is set to be published at the 2022 IEEE Symposium on Security and Privacy, are Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu, and Liqun Chen.

The researchers alerted Apple to the first in October 2020 and Visa in May 2021.

In a statement to ZDNet, Visa says this type of attack is nothing new and customers have little to worry about.

"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world," the credit card company wrote. "Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."



17 Comments

chadbag 13 Years · 2029 comments

It says it only affects Visa cards set up as express transit payment.  Why does it only affect Visa and not other card types?  Is Visa the only non transit card that can be used for express transit payments or is there another reason why, for example, it doesn't affect a Mastercard in Apple Pay?

scartart 17 Years · 201 comments

chadbag said:
It says it only affects Visa cards set up as express transit payment.  Why does it only affect Visa and not other card types?  Is Visa the only non transit card that can be used for express transit payments or is there another reason why, for example, it doesn't affect a Mastercard in Apple Pay?

I don’t know the detail but a bbc news article on the subject states:

The researchers also tested Samsung Pay, but found it could not be exploited in this way. 

They also tested Mastercard but found that the way its security works prevented the attack.


https://www.bbc.co.uk/news/technology-58719891

Skeptical 8 Years · 183 comments

Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

ntipping 3 Years · 5 comments

This is worrying, hopefully, they will quickly find a fix for this.

DAalseth 6 Years · 3067 comments

Skeptical said:
Another day, another iOS/Apple bug. I guess testing is more hit and miss in the rush to deliver a slightly undercooked product. 

As it only impacts Visa, I suspect this is a problem with Visa security.