Flaws in Apple Pay and Visa could allow criminals to make arbitrary contactless payments – no authentication needed, research finds
Cybercriminals could make fraudulent purchases by circumventing an iPhone’s Apple Pay lock screen where the device’s wallet has a Visa card set up in so-called transit mode. The attackers could also bypass the contactless limit to carry out unlimited transactions from locked iPhones, researchers from the University of Birmingham and the University of Surrey have shown.
The research paper, titled “Practical EMV Relay Protection”, maps out how attackers could abuse a combination of flaws in Apple Pay and Visa, explaining that all they would need to carry out an attack is a pilfered powered-on iPhone. The illicit transactions could also be relayed even if the device is in the victim’s baggage.
When carrying out a payment via a smartphone app, the user usually has to authenticate the transaction using either one of the iPhone’s built-in biometric authentication features like a fingerprint scan or Face ID, or punch in a PIN code, reducing the threat of relay attacks. However, in May 2019 Apple introduced the “Express Transit/Travel” feature that allows Apple Pay to be used without unlocking the phone. The feature was introduced to facilitate payment at transport-ticketing barrier stations.
“We show that this feature can be leveraged to bypass the Apple Pay lock screen, and illicitly pay from a locked iPhone, using a Visa card, to any EMV reader, for any amount, without user authorization,” reads the paper describing the attack method.
The attack, classified as a Man-in-the-Middle (MitM) replay and relay attack, requires the iPhone to have a Visa Card set up for payment with the “Express Travel” mode turned on, and the victim to be in close vicinity to the attacker. To conduct their test, the researchers used a Proxmark that acted as a reader emulator, and an NFC-enabled Android phone that was used as a card emulator to communicate with the payment terminal.
“The attack works by first replaying the Magic Bytes to the iPhone, such that it believes the transaction is happening with a transport EMV reader. Secondly, while relaying the EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, need to be modified such that the bits (flags) for Offline Data Authentication (ODA) for Online Authorizations supported and EMV mode supported are set,” the researchers said.
To relay transactions that surpass the contactless payment limit, Card Transaction Qualifiers (CTQ) that are in charge of setting transaction limits need to be modified.
“This tricks the EMV reader into believing that on-device user authentication has been performed (e.g. by fingerprint). The CTQ value appears in two messages sent by the iPhone and must be changed in both occurrences,” the researchers explained. During their test the team was able to carry out a £1,000 (some US$1,400) transaction.
Using a pair of NFC-enabled Android phones, the research team was also able to circumvent Visa’s protocol used to stop relay attacks for payment cards.
Both Apple and Visa have been notified about the security flaw by the researchers, and while both companies have acknowledged the severity of the vulnerability, they have yet to come to an agreement on which of the companies should deploy a fix for the issue. In the meanwhile, users are advised not to use Visa cards in the transport card mode while using Apple Pay.