It seems that Visa users may want to stop using Apple Pay’s Express Transit feature to pay for their tickets. It seems that the service may have a flaw that may affect users with Visa, which would allow other people to perform large unauthorized payments from locked iPhones.
Apple’s Express Transit Express feature started working less than a year ago. This enables Apple Pay users to quickly perform payments without the need for authentication via Face ID, Touch ID, or a passcode. This service is quite useful when you want to pay for something while you’re in a hurry, and it’s especially convenient when paying at ticket barriers. However, researchers from the United Kingdom have demonstrated that this feature would also allow large unauthorized visa payments thanks to a hack.
This demonstration was performed by Computer Science researchers from Birmingham and Surrey Universities, where they exploited a weakness in the Visa contactless system thanks to a small piece of commercially available radio equipment that’s placed close to the iPhone and set as a fake ticket barrier.
This information was then used on an Android device to relay the signal from the iPhone to a contactless payment terminal that is used to authorize the payment.
The researchers managed to perform a Visa payment of £1,000 from a locked iPhone, and they also told the BBC that “the Android phone and payment terminal used don’t need to be near the victim’s iPhone.”
And it seems that Apple doesn’t worry too much about this issue, as the company told the BBC that this was a problem with the Visa system.
“We take any threat to users’ security very seriously,” said Apple. “This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”
“Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence,” said a Visa spokesperson. “Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.”
The easiest way to perform this attack could be with a stolen iPhone. Still, there’s no evidence that this hack has been used in the real world, but that doesn’t mean it can’t happen. In other words, you may want to have a Mastercard linked to your Apple Pay account. That way, you will avoid becoming a possible victim of this issue.