Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

Contactless Payment Card Hack Affects Apple Pay, Visa

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities exploited in the attack remain unpatched, but the impacted vendors say they are not concerned.

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities exploited in the attack remain unpatched, but the impacted vendors say they are not concerned.

The research was conducted by researchers at the University of Birmingham and the University of Surrey in the United Kingdom.

They discovered that if an iPhone is configured to use Apple Pay and a Visa card in “transit mode,” an attacker can remotely steal money from the targeted individual without any authentication or authorization being required — the attack works against locked iPhones.

“Express Transit” or “Express Travel” is a feature in Apple Pay that enables users to quickly pay for rides on certain public transport networks without having to authorize the payment with Face ID or Touch ID, as is typically required when Apple Pay is used. This feature can be highly useful, but researchers found that it also introduces some security risks.

The attack requires a reader emulator (they used a Proxmark device in their experiments), an NFC-enabled Android phone that acts as a card emulator, and an EMV reader. The attacker needs to hold the reader emulator close to the targeted iPhone — this can be done while it’s still in possession of the victim, or the attack is launched on a lost or stolen device.

Apple Pay-Visa contactless card hack

The researchers described it as an “active man-in-the-middle replay and relay attack” that involves what they call “magic bytes,” a sequence of bytes that Apple Pay uses to determine if a transaction is being conducted with a transport EMV reader. The attack, they say, is possible due to a combination of flaws in Apple Pay and Visa systems.

“The attack works by first replaying the Magic Bytes to the iPhone, such that it believes the transaction is happening with a transport EMV reader. Secondly, while relaying the EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, need to be modified such that the bits (flags) for Offline Data Authentication (ODA) for Online Authorizations supported and EMV mode supported are set. Offline data authentication for online transactions is a feature used in special-purpose readers, such as transit system entry gates, where EMV readers may have intermittent connectivity and online processing of a transaction cannot always take place. These modifications are sufficient to allow relaying a transaction to a non-transport EMV reader, if the transaction is under the contactless limit.”

Contactless card transactions typically have a limit, but the researchers have found a way to steal amounts of money over this limit. They demonstrated it by “stealing” £1,000 ($1,300) from a locked phone.

Both Visa and Apple have been notified and the researchers provided recommendations on how the attack could be mitigated, but neither of them has released any patches. The companies believe this type of attack is impractical to execute at scale in the real world, and noted that attacks are made difficult by the multiple layers of security that are in place.

Advertisement. Scroll to continue reading.

The researchers also tested Samsung Pay and Mastercard cards, but they do not appear to be affected. The attack only works against devices that use Apple Pay and Visa — the attack does not work if Apple Pay is used, for instance, with Mastercard cards.

Users who believe they are at risk can prevent potential attacks by disabling the transit mode if they use Apple Pay with a Visa card.

Related: Cybercriminals Could Be Cloning Payment Cards Using Stolen EVM Data

Related: New Attacks Allow Bypassing EMV Card PIN Verification

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.