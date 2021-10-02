Bad news for some Apple Pay users. Researchers at the UK universities of Birmingham and Surrey have shown that it is possible to steal any amount from a Visa card from a locked iPhone, due to flaws in the Apple Pay protocol and in the payment infrastructure of Visa.

This attack can be performed on a stolen iPhone as long as it is not turned off. It could also be done in any public space, if the attacker can be near the targeted device (metro, train, restaurant, etc.).

However, it requires that the Visa card be configured in “Express transport card” mode, which allows users to make micropayments without authentication at the terminals of a public transport operator.

This type of use is not available in France, but it exists in more than a dozen cities around the world, such as London, Sydney, Singapore, Vancouver or New York.

Magic bytes to bypass lockdown

To siphon off such cards, pirates do not need very sophisticated equipment. As we can see in a demonstration video, all you need is a card reader emulator (Proxmark), an Android smartphone to emulate a contactless payment card, and finally a laptop PC to initiate the attack and relay messages between the two emulators.

By combining these different elements, it is possible to remotely make a payment with any point of sale terminal, without any authentication and without a payment limit.





There are many technical reasons. To activate the “express transport” payment method, the terminals of transport operators broadcast a certain series of bytes that the researchers called “ magic bytes “.

It is therefore sufficient for the Proxmark emulator to impersonate a terminal reader and broadcast these bytes to bypass the lock screen and initiate a payment transaction without authentication.

The transactional messages are then intercepted and modified by the laptop PC, which plays the role of “man-in-the-middle”, the aim being to simulate at the point of sale a classic transaction without a payment limit.

To achieve this, it suffices to modify on the fly a certain number of data fields in the transactional messages. In their tests, the researchers were thus able to carry out a transaction of 1000 British pounds.

Mastercard and Samsung Pay are not affected

This attack does not work with the Mastercard network which, unlike Visa, has a special authentication mechanism for card readers. This makes the modifications to the fields mentioned above ineffective and causes the transaction to be rejected. Nor does it work with Samsung smartphones, which also have an “express transport” mode, and whose operation is more secure than that of Apple. Google Pay, for its part, does not have such a mode.

Apple and Visa have been contacted by researchers, but have not made any corrections at this time as each is passing the buck in this matter. Users are therefore requested not to activate the “express transport” mode for a Visa card on an iPhone.

Source : Research report