According to new research study, vulnerabilities in Apple Pay and Visa could allow hackers to bypass an iPhone’s Apple Pay lock screen and make contactless payments.
The vulnerability was identified by researchers from the University of Birmingham and the University of Surrey when Visa cards were set up in ‘Express Transit mode’ in an iPhone’s wallet.
Transit mode is a feature on several mobile phones that allows commuters to make a quick contactless mobile payment, for instance, at an turnstile underground station, without fingerprint authentication.
Researcher Andreea Radu from the University of Birmingham, said “Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,”
According to the study, which will be presented at the IEEE Symposium on Security and Privacy in 2022, the flaw is in the Apple Pay and Visa systems operating together. It does not affect other combinations, such as Mastercard in iPhones or Visa on Samsung Pay.
The researchers established a unique code broadcast by the transit gates, or turnstiles, using cheap radio equipment. This code, dubbed as ‘magic bytes’ by the researchers, will unlock Apple Pay.
The team discovered that they could use this code to disrupt signals between the iPhone and a store card reader. They were able to mislead the iPhone into thinking it was talking to a transit gate when it was actually talking to a store reader by broadcasting the magic bytes and modifying other fields in the protocol.
At the same time, the researchers’ method persuades the store reader that the iPhone has completed its user authorization, allowing payments of any amount to be made without the iPhone user’s knowledge.
The researchers discovered that their method could also be used to get around the contactless limit, allowing for transactions of any amount.