Unlike contactless cards, there is no limit on Apple Pay transactions
Credit: Kiichiro Sato
Hackers could drain thousands of pounds from iPhones by exploiting a flaw in the way its contactless payments system works.
Researchers at the Universities of Surrey and Birmingham found that Visa cards linked to the iPhone’s Apple Pay service could be exploited to steal money using off the shelf equipment.
The researchers said the problem could be easily solved by either Apple or Visa but that both parties had declined to introduce fixes despite being warned about it.
Many major high street banks use Visa debit cards, while Barclaycard uses the company for its credit cards.
The hack involves taking advantage of the iPhone’s "Express Travel" mode, which is designed for use on public transport.
Making contactless payments with an iPhone typically requires users to confirm a transaction using a fingerprint, facial recognition or a passcode to prevent lost or stolen iPhones being used for purchases.
The Express Travel mode, however, does not require such authentication, allowing people to pay for public transport by simply tapping the phone against a terminal. It is used in the UK on Transport for London’s Oyster network and on the First Bus system, which operates in dozens of towns and cities.
The researchers were able to exploit this by imitating the signal from a public transport terminal so that the iPhone was ready to make the payment. A payments receiver is then "tricked" into accepting a transaction.
The Express Travel mode makes using Tube gates easier
Unlike contactless cards, which cap payments at £45, there is no limit on Apple Pay transactions, meaning hackers could in theory drain a person’s bank account or their credit card limit, merely by stealing an iPhone, or surreptitiously holding a terminal up to a device in a bag or pocket. The researchers were able to make a £1,000 payment using a locked phone.
The flaw only works with Visa cards on the Apple Pay service. It does not work with Mastercard or American Express cards, which prevent such payments using an extra authentication process. Nor does it work with a similar public transport payments service on Samsung phones, even with Visa cards.
The iPhone’s Express Travel mode has to be connected to a particular card, and must be deliberately activated, so only those who have turned on the feature and connected it to a Visa card could be affected.
"Apple Pay users should not have to trade-off security for usability, but at the moment some of them do," said Ioana Boureanu from the University of Surrey’s Centre for Cyber Security.
Andreea Radu, of the University of Birmingham’s School of Computer Science, said it was a "clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users". She said the vulnerability was difficult to replicate, but that the high rewards meant criminals might be motivated to.
A Visa spokesperson said the discovery did not mean people were at risk. "Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence," the company said.
"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."