Researchers are urging iPhone users to remove Visa as a transport card through Apple Pay, which they say fraudsters can use to bypass security and make unlimited contactless payments.
Experts from the University of Birmingham and the University of Surrey warned that this issue could be exploited to transact with an iPhone inside someone’s bag, without their knowledge.
They claim the vulnerability only occurs on Apple Pay when a Visa card is set up as an Express Travel Card, also known as Express Transit Mode – a requirement for owners to unlock their phones. intended to tap into and out of public transport without
Using simple radio equipment, the team was able to trick the iPhone into thinking it was communicating with a transit gate, when it was actually a payment reader used by stores, which has been popularized among cyber experts. known as the Man-in-the-Middle attack.
This was done by identifying a unique code transmitted by transit gates or turnstiles, which were then used to interfere with the signal between the iPhone and a shop card reader.
Study co-author Dr Tom Chothia from the University of Birmingham said, “iPhone owners should check whether they have a Visa card for transit payments and if so they should disable it.”
“Apple Pay users have no need to be in danger, but until Apple or Visa fix it, they are.”
Back-end fraud detection checks were also unable to stop any payments from occurring in tests conducted by the group.
The researchers said they shared details of the problem with Apple and Visa, claiming that both companies acknowledged the severity of the vulnerability, but had not reached an agreement on who should apply the fix.
Visa responded by saying that its cards are protected with the facility, and that cardholders should continue to use them “with confidence.”
“A variety of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven impractical to execute on a large scale in the real world,” a spokesperson said.
“Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”
An Apple spokesperson said: “We take any threat to the security of users very seriously. This is a concern with the Visa system, but Visa does not believe that there is a real risk to the security, given the multiple levels of security.” There is potential for such frauds to happen in the world.
“While unlikely to cause unauthorized payments, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”
Dr Andrea Radu of the University of Birmingham, who led the study, said, “Our work shows a clear example of a feature that aims to make life easier, backfiring and downside security, with potentially dire financial consequences for users.” to influence.”
“Our discussions with Apple and Visa have shown that when each of the two industry parties has a partial defect, neither are willing to accept responsibility and implement a fix, leaving users indefinitely become unsafe.”
The weakness doesn’t affect other combinations, such as Visa on MasterCard or Samsung Pay in the iPhone
The full results of the study will be presented in a paper at the 2022 IEEE Symposium on Security and Privacy.
Co-author Dr Iona Bourenu, from the University of Surrey, said: “We show how the utility feature in contactless mobile payments can reduce security.
“But, we also uncovered a contactless mobile-payment design like Samsung Pay, which is both usable and secure.
“Apple Pay users should not turn off security for the sake of usability, but at the moment some of them do.”
Credit: www.independent.co.uk /