Security researchers today announced findings surrounding a vulnerability with Visa cards, specifically when a Visa card is set as the default card for Express Transit in Apple Pay on the iPhone (this feature is named Express Travel in the UK).
The demo shared by The Telegraph showed that a hacker could trick the contactless system to perform arbitrary transactions and therefore steal money from a locked iPhone, assuming they have physical possession of the device.
Apple Pay Express Transit allows contactless transactions with transit like the London Underground to happen without any Face ID or Touch ID authentication, to save time when tapping in and out at the train gates. The lack of authentication is deemed okay as the maximum transaction amount for transit is low, and there is a daily cap.
However, these security researchers have shown that a nefarious hacker can make a dummy payment terminal that mimics the behavior of a public transport terminal, allowing Apple Pay Express Transit card to activate but with seemingly no cap on the amount. As such, the researchers were able to perform a £1000 transaction on the locked iPhone, without any authentication required.
Apple said the fault lies in Visa’s system, and that any unauthorized payments are covered by Visa’s zero liability policy. Visa said “variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world”.
The exploit is specific to to Visa cards. Apple Pay Express Transit paired with Mastercard or American Express Cards are not vulnerable.
FTC: We use income earning auto affiliate links. More.