Revealed: How to steal money from victims' contactless Apple Pay wallets

2021-09-30 23:38

Apple's digital wallet Apple Pay will pay whatever amount is demanded of it, without authorization, if configured for transit mode with a Visa card, and exposed to a hostile contactless reader.

Boffins at the University of Birmingham and the University of Surrey in England have managed to find a way to remove the contactless payment limit on iPhones with Apple Pay and Visa cards if "Express Transit" mode has been enabled.

Express Transit mode enables Apple Pay transactions without unlocking an iPhone or requiring authentication.

"Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely," said Radu.

The Magic Bytes represent a code sequence broadcast by transit gates or turnstiles to unlock Apple Pay.

Radu et al suggest that while we wait for Apple and Visa to respond, no one should be using a Visa card as the transport card in Apple Pay.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/30/apple_pay_contactless_visa_fraud/

#apple #wallets

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Apple		68	212	1433	2208	257	4110