A team of security researchers has uncovered a new hack that could allow bad actors to make unauthorized charges through victims’ iPhones.
In a demonstration to the BBC, researchers from the Computer Science departments of Birmingham and Surrey Universities in the U.K. showed how cyber thieves can exploit a feature in Apple Pay that could leverage unauthorized contactless payments. According to the researchers, the problem lies in how Visa cards are set up in “Express Transit” mode in an iPhone's wallet.
Express Transit is an Apple Pay feature that enables commuters to make quick contactless payments without having to unlock their phone. It’s similar to how a commuter might pay for a ride on New York City’s MTA, Los Angeles’ TAP, or Chicago’s CTA.
How it works
In the demo, researchers showed how easy it was for them to make a Visa payment of £1,000 [$13,460 USD] without unlocking the phone or authorizing the payment.
All a hacker has to do is set up a commercially available piece of radio equipment near where the iPhone might be used to make a payment, such as a retail store. The hacker can then trick the iPhone into thinking it’s dealing with a legitimate point-of-contact.
The scary thing is that the crook’s phone and the payment terminal that’s being used don't need to be anywhere near the victim's iPhone. "It can be on another continent from the iPhone as long as there's an internet connection," said Dr. Ioana Boureanu of the University of Surrey.
Apple and Visa aren’t worried...yet
While the researchers may think the incursion is a real possibility, neither Apple nor Visa are sweating it quite yet. According to the BBC, Apple said the matter was "a concern with a Visa system.” Visa said its payments were secure and attacks of this type were impractical outside of a lab.
Visa told the BBC that it took all security threats seriously, but it says this isn’t something that consumers should worry about.
"Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence,” the company said. "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world".
Regardless of whether this particular threat is viable, there are things consumers can do to lessen the chances of being victimized by a hacker trying to create unauthorized payments. First off, if you lose your phone, you can use Apple's iCloud to block Apple Pay or wipe the phone. You can also alert Visa and block any future payments.
"In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy,” Apple said.