OUR SERVICES
By exploiting an unresolved vulnerability in Apple Pay, it is possible to make fraudulent contactless payments on the Visa circuit without any spending limit, even if the iPhone is locked and therefore without any user interaction. Here are all the details waiting for a resolutive patch
30 Sep 2021 Paolo Tarsitano Editor Cybersecurity360.itA method has been discovered to make contactless fraudulent payments using Apple Pay, the digital wallet found on all iPhones, Apple Watches, Macs and iPads.
The vulnerability, discovered by five researchers from the Universities of Birmingham and Surrey in the UK, can be described as the digital version of the classic pickpocket.
In fact, academics have found a way to make fraudulent payments using the "Express Transit Card" payment method available in Apple Pay and bypassing the iPhone lock screen.
Index of topicsApple Pay: the bug in contactless payments
In particular, according to what the researchers report, the bug in Apple Pay occurs when a Visa card is enabled on the iPhone in "Express transport card" mode to quickly make payments on public transport or in parking lots.
WEBINAR January 27, 2022 - 3:00 pm PIPL, between privacy and cyber security: what you need to know about Chinese legislation LegalSecuritySubscribe to the WebinarAn exploitation of the vulnerability could therefore allow an attacker to bypass the iPhone lock screen and make contactless payments without having to type the passcode and without having to validate with Face ID or Touch ID. And, above all, without the victim of the fraud noticing anything as the whole procedure takes place remotely while perhaps the iPhone is placed in a pocket or purse.
The "Rapid transport card" mode, in fact, was deliberately developed to facilitate and speed up payments of small amounts: if it is active, simply go to the payment terminal or turnstile to immediately obtain the parking ticket, the bus or of the subway without even picking up the iPhone to unlock it.
https://practical_emv.gitlab.io/assets/relay_explained.mp4Man-in-the-middle replay and relay attack: here's how it works

Typically, the "Express Transit Card" mode works in the presence of compatible turnstiles or access gates which, when the owner of the iPhone approaches, send a non-standard sequence of bytes expressly designed to bypass the Apple lock screen Pay.
Using this particular feature, the British researchers then reproduced a man-in-the-middle replay and replay attack that allowed them to emulate the operation of a payment terminal and validate a credit card transaction.
In particular, in the attack simulation a Proxmark device (which can also be easily purchased online) was used which, functioning as a credit card reader, communicated with the iPhone, and an Android smartphone equipped with an NFC chip to communicate. with the payment terminal.
The researchers then used the Proxmark device to reproduce what they themselves have renamed magic bytes to be sent to the iPhone to trick it into believing that it has to authorize a "ticket-gate" type transaction for which, in fact, no authentication is required. by the user.
It is not that easy to exploit the bug
In fact, as the researchers themselves have stated, putting the procedure into practice is easier said than done.
To succeed in the attack, in fact, it is necessary to modify some flags in the metadata transmitted by Proxmark in order to modify the magic bytes and thus enable data authentication even offline, in order to allow the fraudulent transaction through the credit card.
In fact, the iPhone must be made to believe that the transaction is taking place through an EMV terminal capable of handling EMV Transit contactless payments according to the standard guaranteed by EMVco, the regulatory company in the sector made up of Europay, MasterCard and Visa.
Unlimited transactions
However, the researchers still verified that it is also possible to change the Card Transaction Qualifiers (CTQ) flags used to manage payment limits in contactless transactions.
This change is primarily to ensure that the credit card reader has confirmation that the authentication phase on the mobile device has been successfully completed.
Furthermore, during their attack simulation the researchers were able to carry out a £ 1,000 transaction on both an iPhone 7 and an iPhone 12, in both cases without having to proceed with unlocking the device.
There is no patch for the vulnerability yet
The researchers confirmed that the various attack simulations were only successful using a combination of iPhones and Visa cards.
The Mastercard circuit, in fact, should perform an additional check to make sure that a locked iPhone accepts transactions only from card readers with a merchant code in transit.
Furthermore, by trying to put into practice the fraudulent technique with the Samsung Pay technology, the researchers found that transactions are always possible on locked Samsung devices, but in reality they are never completed so their value has always been zero.
Finally, it should be noted that the research results were sent to both Apple and Visa in October 2020 and May 2021, respectively, but neither of them has so far solved the problem, indeed: the two companies have downloaded each other. the burden of releasing a fix for this vulnerability which, at the moment, can therefore be exploited in real attacks, as perhaps has already happened.
For its part, with an official note, Visa confirmed to our newspaper that “Visa cards connected to Apple Pay Express Transit (the express transport mode, ed) are safe and cardholders can continue to trust and use them without fear. Variants of contactless fraud have been studied in laboratory settings for more than a decade and have proven impractical at scale in the real world. Visa takes all security threats very seriously and is constantly striving to strengthen the reliability of payments throughout the ecosystem. "
All the details of the research are available in the Practical EMV Relay Protection whitepaper that will be presented at the upcoming 2022 IEEE Symposium on Security and Privacy.
WHITEPAPERWhat are the strategies to follow to defend against phishing attacks? Security Cybersecurity