Your Apple Pay payments can be stolen over the air — here's what to do

Your Apple Pay payments tin can be stolen over the air — here's what to practice

An Apple Pay screen displaying a Visa card.

(Image credit: Tom's Guide)

Apple Pay payments can be stolen from your iPhone over the air, and the problem still exists because neither Apple nor Visa wants to be the one to fix it, Great britain-based researchers say.

The researchers, from the universities of Birmingham and Surrey, showed in a new website and inquiry paper that they could replicate Transport for London contactless-carte readers using off-the-shelf equipment and steal £1,000 (about $1,350 U.Due south.) from iPhones using Apple Pay every bit long as the payments were tied to a Visa card.

The best Samsung watch in 2021
The all-time Mac antivirus software
Plus: YouTube Television set's cord-cutter nightmare delayed as NBCU channels stay for at present

Because of this, a hacker or crook with the right equipment in a coat pocket could lurk in subway stations in major cities and capture Apple Pay transactions from passersby, and then "replay" the transactions at retail stores anywhere in the world.

Phone thieves could also use this method to extract money from locked iPhones that are continuously powered on.

"Perhaps the greatest worry is for a lost or stolen phone," Pen Examination Partners caput Ken Munro, who was not involved in this research, told the BBC. "The crook doesn't have to be concerned almost beingness spotted by others as they comport out the attack any more."

Yet because of a dispute over whose system is at fault, Apple and Visa are apparently pointing fingers at each other.

"In that location is no demand for Apple Pay users to be in danger, just until Apple tree or Visa fix this they are," researcher Tom Chothia, of the Academy of Birmingham, told the BBC.

Apple responds

"We take any threat to users' security very seriously," Apple told Tom'southward Guide. "This is a business organisation with a Visa organisation but Visa does non believe this kind of fraud is probable to take place in the real world given the multiple layers of security in place.

"In the unlikely result that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy."

How to protect yourself from this attack

To protect yourself from this kind of assault, do not tie a Visa card to Apple Pay's Limited Transit or Express Travel mode, which are explained below.

If your iPhone is stolen or lost, use iCloud to remotely disable Apple Pay birthday. If you believe fraudulent transactions have been made using your Visa menu and Apple tree Pay, inform your carte issuer immediately.

Why this attack tin happen

The flaw has to do with two unlike things. The first is Apple'southward "Express Transit" or "Limited Travel" way, which was introduced with iOS 12.iii in May 2019. It permits Apple Pay transactions without the iPhone owner unlocking the phone'south screen, such every bit when moving rapidly through a subway turnstile. The second issue is in the way Visa handles such payments.

With a MasterCard instead of a Visa card tied to the Apple Pay payment, the theft didn't work, the researchers said. Nor did it work on Samsung phones using Samsung Pay, which has a similar locked-screen transit manner.

According to an Apple back up certificate, Limited Transit/Travel is supported on transit systems in London, New York, Beijing, Shanghai, Hong Kong, Los Angeles, Chicago, Washington, D.C., Portland, Oregon, the San Francisco Bay Area and throughout Finland and Japan.

How the hack works

The researchers prepare shop in several London Undercover stations and captured the signals sent betwixt the contactless-carte du jour readers at the turnstiles and their ain iPhones. They and then programmed handheld Proxmark RFID (radio frequency identification) tools to mimic the Transport for London card readers.

The researchers found that the turnstiles broadcast a 15-byte sequence to let the iPhones know that they were interacting with a transit organization. The iPhones so activated Apple Pay upon receipt of these "magic bytes," despite the iPhones withal existence locked.

After that, an Apple Pay transaction could be made and processed. The researchers used an Android phone communicating with the Proxmark to act as a card payment organisation and were able to procedure transactions. The attacker's Android phone does not demand to be close to the targeted iPhone.

"It can be on another continent from the iPhone equally long as at that place's an cyberspace connection," researcher Ioana Boureanu of the University of Surrey told the BBC.

Overriding the payment limit

Nonetheless, Limited Transit/Travel places a adequately low limit on the amount that tin can be charged. Merely the researchers institute that they need to change only two bits in the manual between the Proxmark and the carte-payment system to override that limit.

Visa told the researchers that "if this set on was to enhance fraud alerts ... it would be eventually stopped," according to the enquiry newspaper. "Nosotros performed our assail multiple times, on big values, from the same carte du jour, and we were never blocked and flagged for fraud."

Visa has proposed a counter-mensurate to stop this attack, the researchers said, but they added that it could hands be bypassed. Instead, the researchers propose that Visa or Apple implement a variation on the method that MasterCard uses to successfully block these attacks.

Pointing fingers

The researchers say they told Apple of this vulnerability in Oct 2020 and Visa in May 2021. Each company, say the researchers, continues to blame the other, although the researchers point out on their website that "either Apple or Visa could mitigate this attack on their own."

"Apple suggested that the best solution was for Visa to implement additional fraud detection checks," states the research paper. "Meanwhile, Visa observed that the issue only applied to Apple (i.e., not Samsung Pay), so suggested that a set should exist fabricated to Apple Pay."

Furthermore, the research paper adds, "Apple did not pay a bug bounty, even though they advertise $100,000 for bypassing a lock screen, and our attack bypasses the Apple Pay lock screen."

"Contactless fraud schemes have been studied in laboratory settings for more than a decade and accept proven to be impractical to execute at calibration in the real world," Visa told the BBC and ZDNet.

Exasperated researchers

Needless to say, the researchers who discovered this flaw nigh a year ago are frustrated.

"Our work shows a articulate case of a characteristic, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users," researcher Andreea-Ina Radu of the University of Birmingham told ZDNet.

"Our discussions with Apple and Visa revealed that when ii industry parties each have partial blame, neither are willing to take responsibleness and implement a fix, leaving users vulnerable indefinitely."

The researchers, who aside from Boureanu, Chothia and Radu include Liqun Chen and Christopher J.P. Newton of the Academy of Surrey, plan to formally present their results at the IEEE Symposium on Security and Privacy in May 2022 in Oakland, California.

Similar findings by Timur Yunusov and Leigh Galloway will be presented at Black Hat Europe in Nov 2021.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has likewise been a dishwasher, fry cook, long-haul driver, lawmaking monkey and video editor. He'south been rooting around in the information-security space for more than than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and fifty-fifty moderated a panel discussion at the CEDIA home-technology conference. Yous can follow his rants on Twitter at @snd_wagenseil.