MobileNews

Apparent flaw allows hackers to steal money from a locked iPhone, when a Visa card is set up with Apple Pay Express Transit

Security researchers today announced findings surrounding a vulnerability with Visa cards, specifically when a Visa card is set as the default card for Express Transit in Apple Pay on the iPhone (this feature is named Express Travel in the UK).

The demo shared by The Telegraph showed that a hacker could trick the contactless system to perform arbitrary transactions and therefore steal money from a locked iPhone, assuming they have physical possession of the device.

Apple Pay Express Transit allows contactless transactions with transit like the London Underground to happen without any Face ID or Touch ID authentication, to save time when tapping in and out at the train gates. The lack of authentication is deemed okay as the maximum transaction amount for transit is low, and there is a daily cap.

However, these security researchers have shown that a nefarious hacker can make a dummy payment terminal that mimics the behavior of a public transport terminal, allowing Apple Pay Express Transit card to activate but with seemingly no cap on the amount. As such, the researchers were able to perform a £1000 transaction on the locked iPhone, without any authentication required.

Apple said the fault lies in Visa’s system, and that any unauthorized payments are covered by Visa’s zero liability policy. Visa said “variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world”.

The exploit is specific to to Visa cards. Apple Pay Express Transit paired with Mastercard or American Express Cards are not vulnerable.


Check out 9to5Mac on YouTube for more Apple news:

Check out the latest Apple iPhones at great prices from Gizmofashion – our recommended retail partner.


Author: Benjamin Mayo
Source: 9TO5Google

Related posts
AI & RoboticsNews

Why AI won’t make you a better writer

AI & RoboticsNews

Snowflake Build: the 4 biggest announcements on Cortex AI and more

AI & RoboticsNews

AI search wars heat up: Genspark adds Claude-powered financial reports on demand

DefenseNews

Kongsberg wins biggest-ever missile contract from US Navy, Marines

Sign up for our Newsletter and
stay informed!