Security News > 2021 > September > Apple Pay with Visa Hacked to Make Payments via Locked iPhones
An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning.
The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and Surrey, backed by the U.K.'s National Cyber Security Centre.
It requires an iPhone to have a Visa card set up as a transit card in Apple Pay.
Apple meanwhile shifted the responsibility to Visa and told the outlet, "We take any threat to users' security very seriously. This is a concern with a Visa system, but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero-liability policy."
"In the meantime, consumers have little choice but to switch off Express Travel Card mode. So, my advice is disable the payment mode until Visa and Apple sort their act out. It's in Settings > Wallet & Apple Pay > Express Travel Card.".
The bug does not affect other types of payment cards or payment systems - Mastercard on Apple Pay or Visa on Samsung Pay are safe from such attacks, the researchers noted.
News URL
https://threatpost.com/apple-pay-visa-hacked-locked-iphones/175229/
Related news
- Apple fixes two new iOS zero-days exploited in attacks on iPhones (source)
- Apple's trademark tight lips extend to new iPhone, iPad zero-days (source)
- Apple: Mercenary spyware attacks target iPhone users in 92 countries (source)
- Apple Alerts iPhone Users in 92 Countries to Mercenary Spyware Attacks (source)