FB pixel

Visa vulnerability in Apple Pay allows biometrics bypass for fraudulent payments

Scientists hack own phones via Apple Pay Visa integration
Visa vulnerability in Apple Pay allows biometrics bypass for fraudulent payments
 

UK scientists found a vulnerability in the Express Transit mode for iPhones which allowed them to fool iPhones via a “replay and relay” attack into making contactless payments of £1,000 (US$1,350) on Visa cards linked to Apple Pay – while the phone is locked and without authorization. They were using only their own phones, but the process shows that limitless amounts could be taken. Coding meant the need to provide any biometric authorization was simply bypassed.

The vulnerability exists in the iPhone digital wallet’s Express Transit mode where users can make a contactless payment at a ticket barrier without needing to unlock their phones.

The team from the University of Birmingham and University of Sussex posted videos along with their findings to demonstrate the process.

According to BBC reporting, Apple has said this is “a concern with a Visa system” while Visa has said the attacks carried out were impractical outside of a lab.

According to the researchers’ findings summary, the team alerted Apple in October 2020 and Visa in May 2021. The vulnerability still exists. “Both parties acknowledge the seriousness of the vulnerability, but have not come to an agreement on which party should implement a fix.”

Despite the bedroom settings and use of Lego, the biometrics bypassing experiments reflect lab conditions. While it might be hard to hack a phone in similar fashion in a real-life setting, the stolen phone could simply be taken into a criminal lab.

For their ‘active man-in-the-middle’ attack, the team used an iPhone 7 and more recent 12 with a Visa card set up as a transit card (credit or debit). This was read by a commercially available card reader emulator (a piece of radio kit by Proxmark) which was connected to an NFC-enabled Android phone which would be a card emulator.

The Proxmark was connected by USB to a laptop, which communicated with the card emulating Android via WiFi. Bluetooth also works. An additional mobile was used to operate a merchant card terminal, in this case a standard bit of kit by iZettle.

Then the card reader emulator (Proxmark box) just needs to be held near an iPhone. The reader emulator, Android and laptop then run the relay attack, first telling the iPhone that it is being read by a transit terminal, bypassing the need for the phone to be unlocked.

The kit communicates with the straightforward merchant set-up, which then debits the Visa card by any amount. No authorization – typically biometric by Face ID or fingerprint – by the holder is required as coding also makes it appear as though permission has been given to allow the transaction. In the videos, the iPhone remains locked throughout with no notification appearing on the screen. Only by going into the Apple Pay wallet on the handset and looking at transactions for the Visa card can the owner see what has happened.

The scientists recommend people not to have a Visa card linked to Apple Pay for transit payments.

Further work by the team uncovered more vulnerabilities for Visa card payments not related to the Apple Pay hacks.

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

Biometrics providers and systems evolve or get left behind

Biometrics are allowing people to prove who they are, speeding journeys through airports, and enabling anonymous online proof of age,…

 

Findynet funding development of six digital wallet solutions

Finnish public-private cooperative Findynet has announced it will award 60,000 euros (US$69,200) to six digital wallet vendors to help translate…

 

Patchwork of age check, online safety legislation grows across US

As the U.S. waits for the Supreme Court’s opinion on the Texas case of Paxton v. Free Speech Coalition, which…

 

AVPA laud findings from age assurance tech trial

The Age Verification Providers Association (AVPA), and several of its members, have welcomed the publication of preliminary findings from the…

 

Sri Lanka to launch govt API policies and guidelines

Sri Lanka’s government, in the wake of its digital economy drive, is gearing up to release application programming interface (API)…

 

Netherlands’ asylum seeker ID cards from Idemia use vertical ICAO format

The Netherlands will introduce new identity documents for asylum seekers Idemia Smart Identity, compliant with the ICAO specification for vertical…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Biometric Market Analysis

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events