Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

Contactless Payment Card Hack Affects Apple Pay, Visa

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities exploited in the attack remain unpatched, but the impacted vendors say they are not concerned.

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities exploited in the attack remain unpatched, but the impacted vendors say they are not concerned.

The research was conducted by researchers at the University of Birmingham and the University of Surrey in the United Kingdom.

They discovered that if an iPhone is configured to use Apple Pay and a Visa card in “transit mode,” an attacker can remotely steal money from the targeted individual without any authentication or authorization being required — the attack works against locked iPhones.

“Express Transit” or “Express Travel” is a feature in Apple Pay that enables users to quickly pay for rides on certain public transport networks without having to authorize the payment with Face ID or Touch ID, as is typically required when Apple Pay is used. This feature can be highly useful, but researchers found that it also introduces some security risks.

The attack requires a reader emulator (they used a Proxmark device in their experiments), an NFC-enabled Android phone that acts as a card emulator, and an EMV reader. The attacker needs to hold the reader emulator close to the targeted iPhone — this can be done while it’s still in possession of the victim, or the attack is launched on a lost or stolen device.

Apple Pay-Visa contactless card hack

The researchers described it as an “active man-in-the-middle replay and relay attack” that involves what they call “magic bytes,” a sequence of bytes that Apple Pay uses to determine if a transaction is being conducted with a transport EMV reader. The attack, they say, is possible due to a combination of flaws in Apple Pay and Visa systems.

“The attack works by first replaying the Magic Bytes to the iPhone, such that it believes the transaction is happening with a transport EMV reader. Secondly, while relaying the EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, need to be modified such that the bits (flags) for Offline Data Authentication (ODA) for Online Authorizations supported and EMV mode supported are set. Offline data authentication for online transactions is a feature used in special-purpose readers, such as transit system entry gates, where EMV readers may have intermittent connectivity and online processing of a transaction cannot always take place. These modifications are sufficient to allow relaying a transaction to a non-transport EMV reader, if the transaction is under the contactless limit.”

Contactless card transactions typically have a limit, but the researchers have found a way to steal amounts of money over this limit. They demonstrated it by “stealing” £1,000 ($1,300) from a locked phone.

Both Visa and Apple have been notified and the researchers provided recommendations on how the attack could be mitigated, but neither of them has released any patches. The companies believe this type of attack is impractical to execute at scale in the real world, and noted that attacks are made difficult by the multiple layers of security that are in place.

The researchers also tested Samsung Pay and Mastercard cards, but they do not appear to be affected. The attack only works against devices that use Apple Pay and Visa — the attack does not work if Apple Pay is used, for instance, with Mastercard cards.

Users who believe they are at risk can prevent potential attacks by disabling the transit mode if they use Apple Pay with a Visa card.

Related: Cybercriminals Could Be Cloning Payment Cards Using Stolen EVM Data

Related: New Attacks Allow Bypassing EMV Card PIN Verification

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet