Apple Pay bug could allow attackers to bypass lock screen, make payments

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

A team of researchers in the U.K. has discovered security issues related to Visa cards and Apple Pay that could result in attackers bypassing the lock screen and making fraudulent payments.

According to the research, the flaw occurs when Visa cards are set up in Apple's Express Transit mode on an iPhone. The flaw could allow attackers to bypass the iPhone Lock Screen and make contactless payments without the passcode.

Apple's Express Transit mode allows users to quickly pay for transportation rides using a credit, debit, or transit card without unlocking their device.

The researchers say that the vulnerability only affects Visa cards stored in Wallet. It's caused by a unique code broadcast by transit gates or transit turnstiles that signal an iPhone to unlock Apple Pay.

By using common radio equipment, the researchers were able to perform an attack that tricked an iPhone into believing it was at a transit gate. The proof-of-concept attack involved an iPhone with Express Transit enabled making a fraudulent payment to a smart payment reader. A similar attack could occur in the wild by broadcasting the unique code and modifying a set of variables.

However, researchers point out that the attack doesn't appear practical on a wide scale. Even if an attacker were able to pull it off, banks and financial institutions have other mechanisms that deter fraud by detecting suspicious transactions.

The flaw was discovered by researchers from the University of Birmingham and the University of Surrey in the U.K. The authors of the paper, which is set to be published at the 2022 IEEE Symposium on Security and Privacy, are Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu, and Liqun Chen.

The researchers alerted Apple to the first in October 2020 and Visa in May 2021.

In a statement to ZDNet, Visa says this type of attack is nothing new and customers have little to worry about.

"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world," the credit card company wrote. "Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."