Security News > 2021 > October > Apple Pay Can be Abused to Make Contactless Payments From Locked iPhones
Cybersecurity researchers have disclosed an unpatched flaw in Apple Pay that attackers could abuse to make an unauthorized Visa payment with a locked iPhone by taking advantage of the Express Travel mode set up in the device's wallet.
Express Travel is a feature that allows users of iPhone and Apple Watch to make quick contactless payments for public transit without having to wake or unlock the device, open an app, or even validate with Face ID, Touch ID or a passcode.
The man-in-the-middle replay and relay attack, which involves bypassing the lock screen to make a payment to any EMV reader illicitly, is made possible due to a combination of flaws in both Apple Pay and Visa's system, and doesn't impact, say, Mastercard on Apple Pay or Visa cards on Samsung Pay.
Specifically, it takes advantage of a unique code - aka Magic Bytes - broadcast by the transit gates to unlock Apple Pay, resulting in a scenario whereby replaying the sequence of bytes, the Apple device is deceived into authorizing a rogue transaction as if it's originated from the ticket barrier, when, in reality, it's been triggered via a contactless payment terminal under the attacker's control.
At the same time, the EMV reader is also tricked into believing that on-device user authentication has been performed, thus enabling payments of any amount to be made without the iPhone user's knowledge.
In a statement shared with the BBC, Visa said this type of attack was "Impractical," adding, "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world."
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/Nk8KgeyQBv0/apple-pay-can-be-abused-to-make.html