Researchers in the UK have demonstrated a security flaw that allowed them to make a contactless Visa payment of £1,000 ($1,345) via a locked iPhone.
According to Bleeping Computer, the hack relies on Apple Pay’s Express Transit mode, a feature that enables people to make quick contactless payments without unlocking their phones – for instance when paying for public transportation.
The academics, from the University of Birmingham and the University of Surrey, explained that they were able to carry out a man-in-the-middle replay and relay attack by emulating “a ticket-barrier transaction […] using a Proxmark device acting as a card reader communicating with the target iPhone and an Android phone with an NFC chip that communicated with a payment terminal.”
Theoretically, this could allow attackers to steal money by using fake card readers and make payments via stolen iPhones without the need to unlock them.
Both Apple and Visa were informed of the security flaw “months ago but neither have fixed their system, so the vulnerability remains live”.
The researchers therefore advise iPhone users not to use Visa as a transport card in Apple Pay until the issue is addressed.
The full details are published in the paper “Practical EMV Relay Protection” by Andreea-Ina Radu and Tom Chothia from the University of Birmingham, and Christopher JP Newton, Ioana Boureanu, and Liqun Chen from the University of Surrey. It will be presented at the 2022 IEEE Symposium on Security and Privacy.
Mobile device security
As a precaution, organizations that issue staff with cell phones, or that provide business credit cards to facilitate expense payments, should implement appropriate safeguards to protect themselves from this vulnerability.
This is one of many ways in which mobile devices leave their owners at risk. In particular, organizations that support BYOD (bring your own device) need to be aware of the security issues they might face.
Free Guide: Mobile Device Security – Adapting to flexible working
For more guidance on mobile device security, our free guide discusses some of the most common risks related to mobile device security, and a range of measures that can help you mitigate them.