Apple Pay: Security gap allows debits without user confirmation
A vulnerability in an iPhone payment function allows attackers to withdraw funds from locked devices. The trick uses a gap in contactless payments in public transport. German users in particular hardly have to worry about their money.
Theoretical vulnerability in express mode
YouTubers have shown how large amounts of money can be debited from a locked iPhone. The attack targets the Apple Pay function Express Transit for public transport. A modified NFC reader intercepts the communication between the smartphone and a payment terminal. The attackers forward the data to a second device that carries out the actual transaction on a real POS system.
This allows parts of the usual security mechanisms for contactless payments to be bypassed. The reader also tells the iPhone that it is at a local transport turnstile. This means no unlocking via FaceID or PIN code is required. Using Express Transit, iPhone users can pay for their tickets quickly and easily at public transport hubs. In order to speed up the flow of passengers, authentication is not required.
Although the system is currently not available in Germany, anyone who travels as a tourist in large cities such as London or Paris can potentially come into contact with it.
Conditions for theft
Like the Veritasium channel in his YouTube video demonstrates, however, extremely unlikely circumstances must come together for a successful attack. In a test setup, however, the actors managed to transfer 10,000 US dollars (around 8,463 euros) from the locked device of technology reviewer Marques Brownlee. However, the risk for end users in everyday life can be classified as very low. The theft only works if a Visa card for fast mode on public transport is stored in the Apple Wallet. This trick doesn’t work with other providers such as Mastercard or American Express because they use different encryption protocols.
Watch on YouTube
The procedure also requires prolonged physical contact with the smartphone. A quick swipe of your pocket is not enough to exchange data. An accomplice also has to operate a real cash register terminal at the same time
Security vulnerability has been known for a long time
The underlying vulnerability has been documented in IT security research since 2021. Apple and Visa examined the problem at the time, but did not close it due to its lack of relevance in practice. Visa itself rates the likelihood of such fraud as extremely low. According to official information, if unlawful debits still occur, the company’s zero liability protection applies. Customers usually get their money back easily as long as they report the incident promptly.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
