Published: November 18, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
This video demontrates how the below described attack works. It shows all the pieces of equipment involved in the attack and how they interact. The video also contains an edit that protects personal banking information.
More than two years ago, researchers alerted both Apple Pay and Visa to a security flaw with their combined payment services. This flaw allows hackers to make unauthorized Visa card payments that can bypass the contactless limit on any EMV (chip) reader, even on a locked iPhone. The companies were warned again last year, with both still pointing to each other as responsible for patching the flaw. In the meantime, some iPhone and iWatch “Express Transit” Apple Pay customers using their wallet’s Visa for transit payments are finding they paid for purchases they didn’t make – a cringe-worthy situation for all but the attackers.
There’s A Man-In-The-Middle
Researchers from the University of Birmingham’s Computer Science department and the University of Surrey in the UK recently took a fresh look into the security flaw. They learned bad actors are using active Man-In-The-Middle (MITM) attacks to abuse the flaw. Techopedia defines an MITM attack as “…a form of eavesdropping where communication between two users is monitored and modified by an unauthorized party…In the process, the two original parties appear to communicate normally.”
In this case, the researchers explain MITM attacks let hackers bypass the Apple Pay lock screen on any iPhone, locked or not, using a Visa for Express Travel payments. They mention the flaw doesn’t affect other payment cards on Apple Pay other than Visa.
With an active MITM, an attacker with a powered-on iPhone can intercept and manipulate communications between Apple Pay and Visa, literally putting themselves in the middle of the transaction. With the target iPhone owner being none the wiser, the hacker as the MITM can abuse the security flaw, allowing them unlimited EMV contactless transactions from the iPhone. The researchers also found their test payments passed backend fraud detection checks, showing the payment wasn’t prevented from being approved.
Until the two-year-old flaw is resolved and patched, if it ever is, the researchers recommend “that all iPhone users check that they do not have a Visa card set up in transit mode, and if they do, they should disable it.” Adding, “both parties acknowledge the seriousness of the vulnerability, but have not come to an agreement on which party should implement a fix.”
To disable “Express Transit” mode, go into the settings of the iPhone, click “Wallet & Apple Pay,” and choose any Visa card that is set up. Then, make sure the “Express Transit” option is in the Off position.
Don’t wait for a patch. No one appears to be in a rush to create one.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org