Apple Pay-Visa Vulnerability May Enable Payment FraudNeither Firm Has Fixed Issue, Researchers Say
Researchers at the University of Birmingham and University of Surrey say they have uncovered a vulnerability in the Apple Pay-Visa setup that could allow hackers to bypass iPhone’s Apple Pay lock screen, perform contactless payments and get around any established transaction limits.
The vulnerabilities were detected in iPhone wallets where Visa cards were set up in "express transit mode," the researchers say. The transit mode feature, launched in May 2019, enables commuters to make contactless mobile payments without fingerprint authentication.
Threat actors can use the vulnerability to bypass the Apple Pay lock screen and illicitly make payments using a Visa card from a locked iPhone to any contactless Europay, Mastercard and Visa - or EMV - reader, for any amount, without user authorization, the researchers say.
Information Security Media Group could not immediately ascertain the number of users affected by this vulnerability.
"The weakness lies in the Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay," the researchers note.
The researchers, who come from the University of Birmingham’s School of Computer Science and the University of Surrey’s Department of Computer Science, found the flaw as part of a project dubbed TimeTrust. The project is funded by the U.K. National Cyber Security Center, and the findings will be presented in a paper at the 2022 IEEE Symposium on Security and Privacy.
Visa and the university researchers did not immediately respond to ISMG's request for comments.
No Fix Issued
The details of this vulnerability were disclosed to Apple in October 2020 and to Visa in May 2021. The researchers say that both parties acknowledged the seriousness of the vulnerability, but have not come to an agreement on who should implement the fix.
"Our work includes formal modelling that shows that either Apple or Visa could mitigate this attack on their own. We informed them both months ago but neither have fixed their system, so the vulnerability remains live," the researchers note.
According to an Apple spokesperson, the vulnerability is a concern connected to Visa systems and Visa does not believe that this kind of fraud is likely to take place in the real world, given the multiple layers of security in place.
"We take any threat to users’ security very seriously. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy," the spokesperson tells ISMG.
John Bambenek, principal threat hunter at Netenrich, a digital IT and security operations company, says the unfortunate reality is that organizations tend to be more concerned with liability and who is to blame than their customer’s security.
"It gets even worse when controls can be implemented at either side to protect users, so it allows organizations to devolve into patterns of blamestorming instead of one of solving problems. The only real solution to this problem is the inevitable lawsuit when fraud happens, when the banks’ lawyers step in to ask the courts who is liable. Then it's up to the judge decide," Bambenek tells ISMG.
Uncovering the Vulnerability
The researchers say they used simple radio equipment to identify a unique code broadcast by the transit gates, or turnstiles. The code, dubbed "magic bytes," unlocked Apple Pay, the researchers say.
"The team found they were able to use this code to interfere with the signals going between the iPhone and a shop card reader. By broadcasting the magic bytes and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader," the researchers note.
They say the method "persuades the shop reader that the iPhone has successfully completed its user authorization, so payments of any amount can be taken without the iPhone’s user’s knowledge."
In addition, the vulnerability allows for bypass of contactless transaction limit, allowing unlimited EMV contactless transactions from a locked iPhone, the researchers say.
Andreea-Ina Radu, who led the research from the School of Computer Science at the University of Birmingham, says the project is a "clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users."
The attack against Apple Pay transport mode is an active man-in-the-middle replay and relay attack, according to the researchers.
It requires an iPhone with a Visa card set up as a transport card. If a nonstandard sequence of bytes, called magic bytes, precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this a transaction with a transport EMV reader, the researchers note.
The researchers used a Proxmark - which acts as a reader emulator - to communicate with the victim’s iPhone and an NFC-enabled Android phone - which acts as a card emulator - to communicate with a payments terminal.
"The Proxmark and card emulator need to communicate with each other," the researchers say. "We connected the Proxmark to a laptop, to which it communicated via USB; the laptop then relayed messages to the card emulator via WiFi." According to the researchers, the Proxmark can directly communicate with an Android phone via Bluetooth, and the Android phone will not require rooting.
The researchers found that the attack requires close proximity to the victim’s iPhone, which can be achieved by holding the terminal emulator near the iPhone while its rightful owner is still in possession, by stealing it or by finding a lost phone, researchers note.
Ioana Boureanu, a researcher from the University of Surrey’s Center for Cyber Security, says that the research shows how a usability feature in contactless mobile payments can lower security. "But we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure. Apple Pay users should not have to trade off security for usability, but at the moment, some of them do,” she adds.