The computerization of processes as mundane as buying in a store has given many advantages to users, such as the popularization of contactless payments in Spain. However, sometimes the vulnerabilities of these systems can play tricks on us, as this group of researchers has discovered.
Researchers from the University of Birmingham, Andreea-Ina Radu and Tom Clothia have published research showing a vulnerability in the Apple Pay payment system.
The paper, published jointly with doctors Ioana Boureanu, Cristpher JP Newton and Liquin Chen (University of Surrey), details that it is possible to carry out illicit transactions through contactless bypassing Apple's security, including the iPhone's lock screen.
This problem resides in the Apple Pay system regarding Visa cards. The flaw could potentially allow an attacker to 'bypass' the lock screen of a victim's device, making payments against the owner's will. The failure occurs when these cards are configured in Express Transit mode.
This mode allows you to pay for transport trips using a credit, transit or debit card quickly, without even having to unlock your iPhone or Apple Watch. Investigators show him on video, managing to bypass all security systems and stealing up to £1,000 from someone else's account.
Apple Pay Christiann Koepke Unsplash
Express Transit does not require any type of authentication, neither Touch ID, nor Face ID nor any type of password. The attacker has to interfere with the transmission code used at TfL (Transport for London) gates and turnstiles.
By accessing that code, they found they could 'trick' the iPhone into thinking it was communicating with one of these doors, rather than an EMV reader. The researchers only needed an iPhone, a laptop, a card emulator and an EMV reader.
mobile payments
The study authors used a Proxmark device and an Android with NFC as reader and card emulators. The Proxmark communicated with the iPhone and Android phone, it was used as a payment terminal. "We connected Proxmark to a laptop via USB, and then the laptop transmitted the messages to the card emulator via WiFi. The Proxmark can also communicate via Bluetooth with the Android phone."
Apple's fraud detection systems did not prevent the theft, regardless of the amount stolen. The researchers, in their document, blame "the lack of controls performed on the iPhone and the lack of controls in the Visa backend [...] Apple Pay is not vulnerable with MasterCard and in turn MasterCard and Visa are not vulnerable with Samsung Pay."
ApplePay
In addition to this, the researchers criticize that Apple does not establish any control over the payment made in the Express Transit mode. They explain that payments as high as £1,000 would never be made in this mode.
Before you disable your Express Transit card in Apple Pay, we must clarify that this attack is practically unworkable, at least under normal conditions. The researchers admit that many very specific conditions are needed to carry out the attack. First, the attacker must have an iPhone with a Visa card configured in this mode.
But the most important aspect of this vulnerability is that it is limited only to payments in transit, so we would have to extract that money from transportation methods and not from establishments, where payments have higher security measures. Not to mention that in these cases, the intervention of the owner of the victim is required and that specific equipment is needed, such as emulators, a laptop, etc.
Still, researchers have made it clear that Apple and Visa's "security designs" need to be improved. Although these attacks are very unlikely, these flaws must be corrected since an expert attacker in these cases could play a trick that is too problematic on a careless user.
1803