Visa vulnerability in Apple Pay allows biometrics bypass for fraudulent payments
UK scientists found a vulnerability in the Express Transit mode for iPhones which allowed them to fool iPhones via a “replay and relay” attack into making contactless payments of £1,000 (US$1,350) on Visa cards linked to Apple Pay – while the phone is locked and without authorization. They were using only their own phones, but the process shows that limitless amounts could be taken. Coding meant the need to provide any biometric authorization was simply bypassed.
The vulnerability exists in the iPhone digital wallet’s Express Transit mode where users can make a contactless payment at a ticket barrier without needing to unlock their phones.
The team from the University of Birmingham and University of Sussex posted videos along with their findings to demonstrate the process.
According to BBC reporting, Apple has said this is “a concern with a Visa system” while Visa has said the attacks carried out were impractical outside of a lab.
According to the researchers’ findings summary, the team alerted Apple in October 2020 and Visa in May 2021. The vulnerability still exists. “Both parties acknowledge the seriousness of the vulnerability, but have not come to an agreement on which party should implement a fix.”
Despite the bedroom settings and use of Lego, the biometrics bypassing experiments reflect lab conditions. While it might be hard to hack a phone in similar fashion in a real-life setting, the stolen phone could simply be taken into a criminal lab.
For their ‘active man-in-the-middle’ attack, the team used an iPhone 7 and more recent 12 with a Visa card set up as a transit card (credit or debit). This was read by a commercially available card reader emulator (a piece of radio kit by Proxmark) which was connected to an NFC-enabled Android phone which would be a card emulator.
The Proxmark was connected by USB to a laptop, which communicated with the card emulating Android via WiFi. Bluetooth also works. An additional mobile was used to operate a merchant card terminal, in this case a standard bit of kit by iZettle.
Then the card reader emulator (Proxmark box) just needs to be held near an iPhone. The reader emulator, Android and laptop then run the relay attack, first telling the iPhone that it is being read by a transit terminal, bypassing the need for the phone to be unlocked.
The kit communicates with the straightforward merchant set-up, which then debits the Visa card by any amount. No authorization – typically biometric by Face ID or fingerprint – by the holder is required as coding also makes it appear as though permission has been given to allow the transaction. In the videos, the iPhone remains locked throughout with no notification appearing on the screen. Only by going into the Apple Pay wallet on the handset and looking at transactions for the Visa card can the owner see what has happened.
The scientists recommend people not to have a Visa card linked to Apple Pay for transit payments.
Further work by the team uncovered more vulnerabilities for Visa card payments not related to the Apple Pay hacks.