New Attack Affects iPhone Owners Who Use Apple Pay and Visa Payment Cards

A group of academics has presented a new attack approach that targets iPhone users who utilize Apple Pay or Visa as a payment method. The exploited vulnerabilities are still unpatched, although the impacted vendors claim they are unconcerned.

Researchers from the University of Birmingham and the University of Surrey in the United Kingdom conducted the study.

They observed that if an iPhone is set up to utilize Apple Pay with a Visa card in “transit mode,” an attacker can steal money from a victim without requiring any authentication or authorization – the attack works even on locked iPhones.

“Express Transit” or “Express Travel” is an Apple Pay function that allows users to swiftly pay for trips on select public transportation networks without having to utilize Face ID or Touch ID to authorize the payment, as is generally necessary when Apple Pay is used. Although this functionality is quite beneficial, researchers discovered that it also poses significant security dangers.

An EMV reader, an NFC-enabled Android phone that acts as a card emulator, and a reader emulator (they utilized a Proxmark device in their testing) are all required for the assault. The attacker must keep the reader emulator close to the targeted iPhone, which can be done while it is still in the victim’s possession or when the device is lost or stolen.

It’s a “active man-in-the-middle replay and relay attack,” according to the researchers, and it utilizes “magic bytes,” a sequence of bytes used by Apple Pay to detect whether a transaction is being done with a transit EMV reader. The attack is possible, according to them, because of a combination of weaknesses in Apple Pay and Visa systems.

“The attack works by first replaying the Magic Bytes to the iPhone, such that it believes the transaction is happening with a transport EMV reader. Secondly, while relaying the EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, need to be modified such that the bits (flags) for Offline Data Authentication (ODA) for Online Authorizations supported and EMV mode supported are set. Offline data authentication for online transactions is a feature used in special-purpose readers, such as transit system entry gates, where EMV readers may have intermittent connectivity and online processing of a transaction cannot always take place. These modifications are sufficient to allow relaying a transaction to a non-transport EMV reader, if the transaction is under the contactless limit.”

Normally, contactless card transactions have a limit, but the researchers have discovered a technique to steal money in excess of this restriction. They showed this by “stealing” £1,300 from a locked phone.

Both Visa and Apple have been warned about the attack, and the researchers have provided mitigation recommendations, but neither has deployed any updates. The companies feel that executing this type of attack at scale in the real world is impracticable, and that attacks are complicated by the various layers of security in place.

Samsung Pay and MasterCard cards were also tested, however they did not appear to be affected. The attack only works on Apple Pay and Visa-enabled devices; it won’t work if Apple Pay is used with MasterCard cards, for example.

If you use Apple Pay with a Visa card and fear you are at risk, you can prevent assaults by blocking the transit mode.