Thieves Could Steal Your Cash Using This Apple Pay Hack, No iPhone Unlock Required

If you're a regular HotHardware reader, you probably make contactless payments now and again. You might even do it using Apple Pay, and if you live in a big city with mass transit, there's a decent likelihood that you have Express Transit enabled. If you use a Visa card for it, you may want to reconsider that based on the latest iPhone exploit.

Express Transit is a feature of Apple Pay where users can set up a specific card to which transit payments can be charged without unlocking the phone. There are a number of requirements before this can happen, but the foremost one is that it can only be used for contactless payments at transit terminals, like the London Underground.

The BBC reports that researchers at Birmingham and Surrey Universities have discovered a way to spoof the existence of such a terminal using a "commercially-available piece of radio equipment" and then separately, use an Android app to relay signals (locally or over the internet) between the iPhone and a contactless payment terminal through the Android device.
Because the iPhone thinks it's paying a ticket barrier, it doesn't have to be unlocked, but the Android device fools the payment terminal into thinking that the iPhone is unlocked and the user is actively authorizing whatever payment is charged. That allows much larger charges than the Express Transit feature normally would enable: the researchers successfully made a Visa payment (using their own funds) of £1,000 (around $1,350) using the technique.

Apple lays the blame on Visa, and Visa says the attack is "impractical." It's easy to see why given the complicated setup involved. However, the researchers are more concerned about stolen iPhones. The Android device does not need to be geographically near the iPhone, so it would be possible for a thief with the requisite radio device to connect to another agent or group over the internet to process illicit transactions. For what it's worth, Visa also notes that its cardholders are protected by the company's zero-liability identity theft policy.

The security researchers also tested Samsung Pay, as well as Apple Pay with a Mastercard, but found that neither setup was exploitable in the same way. Only Apple Pay users with a Visa card tied to the Express Transit feature are endangered by the exploit, and even then, it requires access to your phone. Still, the BBC quotes Dr. Tom Chothia at the University of Birmingham as saying that iPhone owners with a Visa card set up for Express Transit should disable it, noting that until Apple or Visa fix the problem, they are "in danger" of being victimized by this flaw.