Your Apple Pay payments can be stolen over the air — here's what to do

An Apple Pay screen displaying a Visa card.

(Image credit: Tom'south Guide)

Apple Pay payments can be stolen from your iPhone over the air, and the trouble still exists considering neither Apple tree nor Visa wants to be the i to fix information technology, UK-based researchers say.

The researchers, from the universities of Birmingham and Surrey, showed in a new website and inquiry paper that they could replicate Transport for London contactless-card readers using off-the-shelf equipment and steal £1,000 (nigh $ane,350 U.S.) from iPhones using Apple Pay as long as the payments were tied to a Visa card.

The best Samsung sentinel in 2021
The all-time Mac antivirus software
Plus: YouTube TV'south cord-cutter nightmare delayed equally NBCU channels stay for now

Because of this, a hacker or crook with the right equipment in a coat pocket could lurk in subway stations in major cities and capture Apple tree Pay transactions from passersby, then "replay" the transactions at retail stores anywhere in the world.

Telephone thieves could besides use this method to extract money from locked iPhones that are continuously powered on.

"Perhaps the greatest worry is for a lost or stolen phone," Pen Test Partners head Ken Munro, who was non involved in this inquiry, told the BBC. "The crook doesn't take to exist concerned about beingness spotted by others as they deport out the attack any more."

Yet because of a dispute over whose system is at fault, Apple and Visa are apparently pointing fingers at each other.

"There is no need for Apple Pay users to be in danger, only until Apple or Visa prepare this they are," researcher Tom Chothia, of the Academy of Birmingham, told the BBC.

Apple responds

"We take whatever threat to users' security very seriously," Apple tree told Tom'due south Guide. "This is a concern with a Visa system just Visa does not believe this kind of fraud is likely to accept identify in the real world given the multiple layers of security in identify.

"In the unlikely outcome that an unauthorized payment does occur, Visa has made information technology clear that their cardholders are protected by Visa'due south zero liability policy."

How to protect yourself from this attack

To protect yourself from this kind of attack, practise not tie a Visa card to Apple Pay'due south Limited Transit or Express Travel manner, which are explained beneath.

If your iPhone is stolen or lost, apply iCloud to remotely disable Apple Pay altogether. If you believe fraudulent transactions accept been made using your Visa card and Apple tree Pay, inform your card issuer immediately.

Why this attack tin can happen

The flaw has to do with two different things. The start is Apple'southward "Express Transit" or "Express Travel" manner, which was introduced with iOS 12.3 in May 2019. Information technology permits Apple Pay transactions without the iPhone possessor unlocking the phone's screen, such equally when moving rapidly through a subway turnstile. The second effect is in the style Visa handles such payments.

With a MasterCard instead of a Visa carte du jour tied to the Apple Pay payment, the theft didn't piece of work, the researchers said. Nor did it work on Samsung phones using Samsung Pay, which has a similar locked-screen transit mode.

According to an Apple tree back up document, Express Transit/Travel is supported on transit systems in London, New York, Beijing, Shanghai, Hong Kong, Los Angeles, Chicago, Washington, D.C., Portland, Oregon, the San Francisco Bay Surface area and throughout Republic of finland and Japan.

How the hack works

The researchers prepare shop in several London Surreptitious stations and captured the signals sent between the contactless-card readers at the turnstiles and their own iPhones. They then programmed handheld Proxmark RFID (radio frequency identification) tools to mimic the Transport for London card readers.

The researchers found that the turnstiles broadcast a xv-byte sequence to permit the iPhones know that they were interacting with a transit organisation. The iPhones then activated Apple tree Pay upon receipt of these "magic bytes," despite the iPhones all the same being locked.

After that, an Apple Pay transaction could be made and processed. The researchers used an Android phone communicating with the Proxmark to act equally a menu payment system and were able to procedure transactions. The attacker'south Android phone does not need to be shut to the targeted iPhone.

"It can be on another continent from the iPhone as long as at that place's an internet connection," researcher Ioana Boureanu of the Academy of Surrey told the BBC.

Overriding the payment limit

However, Limited Transit/Travel places a adequately depression limit on the amount that tin be charged. Merely the researchers found that they need to modify but two bits in the transmission between the Proxmark and the menu-payment system to override that limit.

Visa told the researchers that "if this attack was to heighten fraud alerts ... it would be somewhen stopped," according to the research paper. "We performed our attack multiple times, on large values, from the same card, and we were never blocked and flagged for fraud."

Visa has proposed a counter-measure to cease this attack, the researchers said, but they added that information technology could easily be bypassed. Instead, the researchers propose that Visa or Apple implement a variation on the method that MasterCard uses to successfully block these attacks.

Pointing fingers

The researchers say they told Apple of this vulnerability in October 2020 and Visa in May 2021. Each company, say the researchers, continues to blame the other, although the researchers point out on their website that "either Apple or Visa could mitigate this attack on their own."

"Apple tree suggested that the best solution was for Visa to implement additional fraud detection checks," states the inquiry paper. "Meanwhile, Visa observed that the consequence only applied to Apple (i.e., not Samsung Pay), and so suggested that a fix should be made to Apple Pay."

Furthermore, the inquiry paper adds, "Apple tree did not pay a bug compensation, even though they advertise $100,000 for bypassing a lock screen, and our attack bypasses the Apple Pay lock screen."

"Contactless fraud schemes take been studied in laboratory settings for more than than a decade and accept proven to exist impractical to execute at scale in the real world," Visa told the BBC and ZDNet.

Exasperated researchers

Needless to say, the researchers who discovered this flaw almost a yr ago are frustrated.

"Our piece of work shows a clear case of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users," researcher Andreea-Ina Radu of the University of Birmingham told ZDNet.

"Our discussions with Apple and Visa revealed that when 2 industry parties each have fractional blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely."

The researchers, who aside from Boureanu, Chothia and Radu include Liqun Chen and Christopher J.P. Newton of the Academy of Surrey, plan to formally present their results at the IEEE Symposium on Security and Privacy in May 2022 in Oakland, California.

Similar findings by Timur Yunusov and Leigh Galloway will exist presented at Black Hat Europe in November 2021.

Paul Wagenseil is a senior editor at Tom'south Guide focused on security and privacy. He has too been a dishwasher, fry cook, long-booty driver, code monkey and video editor. He's been rooting effectually in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'due south Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Television receiver news spots and fifty-fifty moderated a console give-and-take at the CEDIA dwelling house-technology conference. You lot can follow his rants on Twitter at @snd_wagenseil.