Hackers can use Apple Pay to make large contactless Visa payments with locked iPhones

Researchers from the Computer Science departments of Birmingham and Surrey Universities have discovered a way for hackers to make large, unauthorized payments from locked iPhones by exploiting the functionality of Apple Pay.

The academic researchers found that the attack works on Visa cards in Express Transit mode in an iPhone's wallet. They were able to make a contactless payment of £1,000 (around $1,350) without unlocking the iPhone being used. Despite having been reported to Apple a year ago, the issue remains unfixed.

See also:

• How to install Windows 11 on any computer, even those without TPM 2.0
• How to sign into Windows 11 automatically
• Most people neither know nor care about Windows 11

Apple has dismissed the attack vector as being a "concern with a Visa system"; Visa not only insists that all payments are secure, but also that the attack set out by researchers was impractical.

Express Transit mode was designed to allow easy passage through ticket gates by a user, making it possible to pay for entry to venues or for transport tickets without the need to unlock their iPhone first. This can be exploited in an attack.

In short, the attack involves using a device purporting to be a ticket gate, and the signal from the iPhone attempting to communicate with the "ticket gate" is intercepted. An app is used to trick a nearby payment terminal into believing that the iPhone is unlocked, thereby authorizing a payment to be made.

The researchers explain:

The attack against Apple Pay Transport mode is an active Man-in-the-Middle replay and relay attack. It requires an iPhone to have a Visa card (credit or debit) setup as "transport card".

If a non-standard sequence of bytes (Magic Bytes) preceeds the standard ISO 14443-A WakeUp command, Apple Pay will consider this a transaction with a transport EMV reader.

We use a Proxmark (this will act as a reader emulator) to communicate with the victim’s iPhone and an NFC-enabled Android phone (which acts as a card emulator) to communicate with a payment terminal. The Proxmark and card emulator need to communicate with each other. In our experiements, we connected the Proxmark to a laptop, to which it communicated via USB; the laptop then relayed messages to the card emulator via WiFi. The Proxmark can also directly communicate with an Android phone via Bluetooth. The Android phone does not require rooting.

The attack requires close proximity to the victim's iPhone. This can be achieved by holding the terminal emulator near the iPhone, while its rightful owner is still in posession, by stealing it or by finding a lost phone.

The attack works by first replaying the Magic Bytes to the iPhone, such that it believes the transaction is happening with a transport EMV reader. Secondly, while relaying the EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, need to be modified such that the bits (flags) for Offline Data Authentication (ODA) for Online Authorizations supported and EMV mode supported are set. Offline data authentication for online transactions is a feature used in special-purpose readers, such as transit system entry gates, where EMV readers may have intermittent connectivity and online processing of a transaction cannot always take place. These modifications are sufficient to allow relaying a transaction to a non-transport EMV reader, if the transaction is under the contactless limit.

In order to relay transactions over the contactless limit, the Card Transaction Qualifiers (CTQ), sent by the iPhone, need to be modified such that the bit (flag) for Consumer Device Cardholder Verification Method is set. This tricks the EMV reader into believing that on-device user authentication has been performed (e.g. by fingerprint). The CTQ value appears in two messages sent by the iPhone and must be changed in both occurances.

In a paper entitled Practical EMV Relay Protection due to be published at the 2022 IEEE Symposium on Security and Privacy, the team of researchers summarize their findings:

• The Apple Pay lock screen can be bypassed for any iPhone with a Visa card set up in transit mode. The contactless limit can also be bypassed allowing unlimited EMV contactless transactions from a locked iPhone.
• An attacker only needs a stolen, powered on iPhone. The transactions could also be relayed from an iPhone inside someones bag, without their knowledge. The attacker needs no assistance from the merchant and
  backend fraud detection checks have not stopped any of our test payments.
• This attack is made possible by a combination of flaws in both Apple Pay and Visa's system. It does not, for instance, affect Mastercard on Apple Pay or Visa on Samsung Pay.
• Our work includes formal modelling that shows that either Apple or Visa could mitigate this attack on their own. We informed them both months ago but neither have fixed their system, so the vulnerability remains live.
• We recommend that all iPhone users check that they do not have a Visa card set up in transit mode, and if they do they should disable it.

A video of an attack can be seen on the website as well.

Image credit: WDnet Creation / Shutterstock