Vulnerabilities in Apple Pay and Visa could enable hackers to bypass an iPhone’s Apple Pay lock screen and make unauthorised contactless payments, according to new research.

Experts at the University of Birmingham and the University of Surrey found that hackers could also change the contactless limit, meaning transactions of any amount could be carried out.

The researchers discovered that the vulnerability occurs when Visa cards are set up in Express Transit mode, which is used by many commuters at train and underground stations.

The weakness lies in the Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay.

Using simple radio equipment, the team identified a unique code broadcast by the transit gates, or turnstiles. This code, which the researchers nicknamed the ‘magic bytes’ will unlock Apple Pay.

The team found they were then able to use this code to interfere with the signals going between the iPhone and a shop card reader. By broadcasting the magic bytes and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader.

At the same time, the researchers’ method persuades the shop reader that the iPhone had successfully completed its user authorisation, so payments of any amount can be taken without the iPhone’s user’s knowledge.

“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said Dr Andreea Radu, who led the research at the School of Computer Science, University of Birmingham. “Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”

A spokesperson from Apple said: "We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy."

A spokesperson from Visa said: "Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."

Share Story: