Thieves Could Steal Your Cash Using This Apple Pay Hack, No iPhone Unlock Required
Express Transit is a feature of Apple Pay where users can set up a specific card to which transit payments can be charged without unlocking the phone. There are a number of requirements before this can happen, but the foremost one is that it can only be used for contactless payments at transit terminals, like the London Underground.
The BBC reports that researchers at Birmingham and Surrey Universities have discovered a way to spoof the existence of such a terminal using a "commercially-available piece of radio equipment" and then separately, use an Android app to relay signals (locally or over the internet) between the iPhone and a contactless payment terminal through the Android device.
Apple lays the blame on Visa, and Visa says the attack is "impractical." It's easy to see why given the complicated setup involved. However, the researchers are more concerned about stolen iPhones. The Android device does not need to be geographically near the iPhone, so it would be possible for a thief with the requisite radio device to connect to another agent or group over the internet to process illicit transactions. For what it's worth, Visa also notes that its cardholders are protected by the company's zero-liability identity theft policy.
The security researchers also tested Samsung Pay, as well as Apple Pay with a Mastercard, but found that neither setup was exploitable in the same way. Only Apple Pay users with a Visa card tied to the Express Transit feature are endangered by the exploit, and even then, it requires access to your phone. Still, the BBC quotes Dr. Tom Chothia at the University of Birmingham as saying that iPhone owners with a Visa card set up for Express Transit should disable it, noting that until Apple or Visa fix the problem, they are "in danger" of being victimized by this flaw.