An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning.
The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and Surrey, backed by the UK's National Cyber Security Centre (NCSC). But Visa insisted that Apple Pay payments were secure and that any real-world attacks would be difficult to carry out so nothing to see here move on please.
The team explained that fraudulent tap-and-go payments at card readers can be made using any iPhone that has a Visa card set up in "Express Transit" mode.
Express Transit allows commuters around the world, including those riding the New York City subway, the Chicago El and the London Underground, to tap their phones on a reader to pay their fares without unlocking their devices.
"An attacker only needs a stolen, powered-on iPhone", according to a writeup published this week.
"The transactions could also be relayed from an iPhone inside someone's bag, without their knowledge. The attacker needs no assistance from the merchant."
This attack is made possible by a combination of flaws in both Apple Pay and Visa's systems, the academic team noted.
The details of this vulnerability have been disclosed to Apple (Oct 2020) and to Visa (May 2021)," according to the writeup. "Both parties acknowledge the seriousness of the vulnerability but have not come to an agreement on which party should fix it.
"Variations of contactless-fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world", Visa said in a statement to the BBC, adding that its fraud-detection systems would flag any suspicious transactions.
Apple meanwhile shifted the responsibility to Visa and told the outlet: "This is a concern with a Visa system, but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero-liability policy.”
The researchers say users can protect themselves by not using Visa as a transport card in Apple Pay, and if they do, by remotely wiping the device if lost or stolen. The bug does not affect other types of payment cards or payment systems. So it might be better to use a phone or card which does not have a flaw, or two partners who can’t agree when there is a problem.