Security News > 2021 > September > Revealed: How to steal money from victims' contactless Apple Pay wallets

Revealed: How to steal money from victims' contactless Apple Pay wallets
2021-09-30 23:38

Apple's digital wallet Apple Pay will pay whatever amount is demanded of it, without authorization, if configured for transit mode with a Visa card, and exposed to a hostile contactless reader.

Boffins at the University of Birmingham and the University of Surrey in England have managed to find a way to remove the contactless payment limit on iPhones with Apple Pay and Visa cards if "Express Transit" mode has been enabled.

Express Transit mode enables Apple Pay transactions without unlocking an iPhone or requiring authentication.

"Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely," said Radu.

The Magic Bytes represent a code sequence broadcast by transit gates or turnstiles to unlock Apple Pay.

Radu et al suggest that while we wait for Apple and Visa to respond, no one should be using a Visa card as the transport card in Apple Pay.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/30/apple_pay_contactless_visa_fraud/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 72 238 1567 2279 265 4349