Skip to main content

Apparent flaw allows hackers to steal money from a locked iPhone, when a Visa card is set up with Apple Pay Express Transit

Security researchers today announced findings surrounding a vulnerability with Visa cards, specifically when a Visa card is set as the default card for Express Transit in Apple Pay on the iPhone (this feature is named Express Travel in the UK).

The demo shared by The Telegraph showed that a hacker could trick the contactless system to perform arbitrary transactions and therefore steal money from a locked iPhone, assuming they have physical possession of the device.

Apple Pay Express Transit allows contactless transactions with transit like the London Underground to happen without any Face ID or Touch ID authentication, to save time when tapping in and out at the train gates. The lack of authentication is deemed okay as the maximum transaction amount for transit is low, and there is a daily cap.

However, these security researchers have shown that a nefarious hacker can make a dummy payment terminal that mimics the behavior of a public transport terminal, allowing Apple Pay Express Transit card to activate but with seemingly no cap on the amount. As such, the researchers were able to perform a £1000 transaction on the locked iPhone, without any authentication required.

Apple said the fault lies in Visa’s system, and that any unauthorized payments are covered by Visa’s zero liability policy. Visa said “variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world”.

The exploit is specific to to Visa cards. Apple Pay Express Transit paired with Mastercard or American Express Cards are not vulnerable.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Benjamin Mayo Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications