Security News > 2021 > November > Security researcher: Flaw in Apple Pay, Samsung Pay and Google Pay makes fraud easy for thieves

The balance between hands-free payments and the security standards required to protect those transactions has tipped too far in the wrong direction, according to a security expert.
At a session at Black Hat Europe 2021 this week, Timur Yunusov, a senior security expert at Positive Technologies, explained flaws in contactless payment apps that could lead to fraud using lost or stolen mobile phones.
"To perform the attack, smartphones with Samsung Pay and Apple Pay must be registered in these countries, but the cards can be issued in any other region," Yunusov said.
Apple Pay, Google Pay and Samsung Pay apps are all vulnerable to this threat.
In reality, Apple and Samsung have shifted the liability to Visa and MasterCard, he said, even though the problem is not with products from the payment companies.
"If the payment is for $0.00, the phone is locked, and the MCC code is transport, this is a legitimate transaction when someone pays in the subway. But if the payment is $100, the phone was unlocked, and the MCC is 'supermarkets,' which is suspicious, because it should not be possible for customers to pay in supermarkets without unlocking the phone."
News URL
Related news
- Google paid $12 million in bug bounties last year to security researchers (source)
- Google Chrome's AI-powered security feature rolls out to everyone (source)
- Twin Google flaws allowed researcher to get from YouTube ID to Gmail address in a few easy steps (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- Google Rolls Out AI Scam Detection for Android to Combat Conversational Fraud (source)
- Why The Modern Google Workspace Needs Unified Security (source)
- Google Acquires Wiz for $32 Billion in Its Biggest Deal Ever to Boost Cloud Security (source)
- Google to purchase Wiz for $32 billion in cloud security play (source)
- Generative AI Is reshaping financial fraud. Can security keep up? (source)