Security Experts Warn of Apple Pay Express Transit Hack That Enables Large Unauthorized Visa Payments From Locked iPhones

Researchers in the U.K. have demonstrated how large unauthorized contactless payments can be made on locked iPhones by exploiting Apple Pay's Express Transit feature when set up with Visa.

apple pay express transit london
Express Transit is an ‌Apple Pay‌ feature that allows for tap-and-go payment at ticket barriers, eliminating the need to authenticate with Face ID, Touch ID, or a passcode. The device does not need to be wakened or unlocked to use Express Transit.

Computer Science researchers from Birmingham and Surrey Universities demonstrated to the BBC how the attack works by exploiting a weakness in the Visa contactless system through the use of a small piece of commercially available radio equipment, which is placed near the phone and masquerades as a ticket barrier.

An Android phone running an app developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal and modifies the communications to fool the terminal into acting as if the ‌iPhone‌ has been unlocked and a payment authorized.

In demonstrating the attack, researchers made a contactless Visa payment of £1,000 from a locked ‌iPhone‌. The scientists only took money from their own accounts. The researchers said the Android phone and payment terminal used don't need to be near the victim's ‌iPhone‌ as long as there's an internet connection.

Apple told the BBC the matter was an issue with the Visa system.

"We take any threat to users' security very seriously," said Apple. "This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy."

The researchers said the attack might be easiest to deploy against a stolen ‌iPhone‌, although there's no evidence that the hack has been used in the wild. Visa said payments were secure and attacks of this type were impractical outside of a lab.

"Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence," said a Visa spokesperson. "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world."

The researchers told the BBC they first approached Apple and Visa with their concerns almost a year ago, but despite "useful" conversations, the problem has not yet been fixed. The researchers also tested Express Transit with Mastercard but found that the way its security works prevented the attack.

"It has some technical complexity," said Dr Andreea Radu, of the University of Birmingham, who led the research. "But I feel the rewards from doing the attack are quite high. In a few years these might become a real issue."

Dr Tom Chothia, also at the University of Birmingham, advised ‌iPhone‌ users to check if they have a Visa card set up to use Express Transit and if so, disable it. "There is no need for ‌Apple Pay‌ users to be in danger, but until Apple or Visa fix this they are," he said.

Related Roundup: Apple Pay

Top Rated Comments

canadianreader Avatar
10 months ago
"The researchers told the BBC they first approached Apple and Visa with their concerns almost a year ago, but despite "useful" conversations, the problem has not yet been fixed."

Rough week for Apple ?
Score: 27 Votes (Like | Disagree)
match14 Avatar
10 months ago
In the article on the BBC website, it said the researchers also tested this with a MasterCard but found its security prevented the attack.
Score: 18 Votes (Like | Disagree)
matrix07 Avatar
10 months ago

Apple Security has got infected with Jelly Roll
What's it got to do with Apple when this hack can do nothing on the same system with Master Card ?
Score: 12 Votes (Like | Disagree)
Richu Avatar
10 months ago
Tbh the consumers aren’t at risk since VISA covers eventual losses. There’s nothing to be upset about.

There’s a countless number of scams that can be run against VISA. that they do risk/reward calculations on different prevention systems.
- A lot of the time the scams aren’t profitable (or even doable) for the scammer to run at scale
- Other times it’s not profitable to prevent at scale, thus better to just absorb the cost and compensate the consumer
- Lastly, sometimes it makes sense to prevent the scam... A lot of we’ve never heard of because they’re already prevented
Score: 12 Votes (Like | Disagree)
matrix07 Avatar
10 months ago

Where’s the people who was telling everyone they only trust their credit card to Apple and non third parties?

The irony.
Re-read the article perhaps.
Score: 11 Votes (Like | Disagree)
Pezimak Avatar
10 months ago
I appreciate Visa defending here claiming it's not possible to do outside a lab and Apple seemingly just passing the blame and responsibility onto Visa, but organised gangs will find a way regardless if the exploit exists, bedsides I find it incredibly stupid to allow your phone to be used for payments of anything WITHOUT unlocking it in anyway.
I suggest they forget the convenience and activate some security. People will just have to unlock there phones, better safe then sorry as they say.
Score: 9 Votes (Like | Disagree)

Related Stories

face id mask

iOS 15.4 Will Let You Pay With Apple Pay Using Face ID While Wearing a Mask

Friday January 28, 2022 3:00 am PST by
Apple yesterday released the first developers beta of iOS 15.4 with several notable new features. Perhaps the biggest is the ability to use Face ID to unlock your iPhone while wearing a mask, without requiring an Apple Watch to do so. In another noteworthy addition, you can now also authenticate Apple Pay transactions while wearing a mask for the first time. With the release of iOS 14.5 and...
Apple Pay Feature

Survey: Only 6% of U.S. iPhone Users Who Set Up Apple Pay Actually Use It

Tuesday September 7, 2021 8:36 am PDT by
Only six percent of iPhone users in the United States who have Apple Pay set up actually use the feature, according to a detailed study by PYMNTS. Seven years after Apple Pay launched in September 2014, 93.9 percent of consumers with Apple Pay activated on their iPhone do not use it to pay for in-store purchases, meaning that only 6.1 percent do. In 2015, the year following Apple Pay's...
tim cook privacy

Apple Not Trying Hard Enough to Protect Users Against Surveillance, Researchers Say

Friday July 23, 2021 6:46 am PDT by
Following the news of widespread commercial hacking spyware on targeted iPhones, a large number of security researchers are now saying that Apple could do more to protect its users (via Wired). Earlier this week, it was reported that journalists, lawyers, and human rights activists around the world had been targeted by governments using phone malware made by the surveillance firm NSO Group...
iOS App Store General Feature JoeBlue

Apple Fined Another 5 Million Euros by Dutch Competition Regulator Over Dating App Payment Requirements

Monday February 7, 2022 8:49 am PST by
The Netherlands' Authority for Consumers and Markets (ACM) has fined Apple five million euros for a third consecutive week for allegedly failing to satisfy the requirements it set regarding alternative payment systems for dating apps, according to Reuters. The ACM today said it has still not received enough information from Apple to assess whether Apple has properly complied with the order,...
tmobilelogo

T-Mobile's Latest Data Breach Linked to SIM Swap Attacks

Wednesday December 29, 2021 10:15 am PST by
Back in August, T-Mobile suffered a massive data breach impacting more than 50 million current, former, and prospective T-Mobile users, and now the cellular company is dealing with another smaller data breach incident. Reports yesterday suggested that T-Mobile was aware of unauthorized activity affecting some customer accounts, and now, T-Mobile has confirmed that those reports were due to...
powerdir exploit microsoft

Microsoft Discovered New 'Powerdir' macOS Vulnerability, Fixed in 12.1 Update

Monday January 10, 2022 9:17 am PST by
Microsoft's 365 Defender Research Team this morning published details on a new "Powerdir" macOS vulnerability that let an attacker bypass the Transparency, Consent, and Control technology to gain unauthorized access to protected data. Apple already addressed the CVE-2021-30970 vulnerability in the macOS Monterey 12.1 update that was released in December, so users who have updated to the...
iOS App Store General Feature JoeBlue

Apple to Allow In-App Third-Party Payment Options for First Time in the Netherlands

Saturday January 15, 2022 12:39 am PST by
Apple has announced that it will allow third-party payment options for in-app purchases for dating apps in the Netherlands, in the first ever concession of its kind. In a message posted on its developer site late on Friday, Apple announced that it will comply with a Netherlands Authority for Consumers and Markets (ACM) ruling that compels the company to allow third-party payment services to...
iOS App Store General Feature JoeBlue

Apple to Collect 27% Commission on Third-Party App Payment Systems in the Netherlands

Friday February 4, 2022 3:16 am PST by
Apple says it will take 27% commission on purchases made in dating apps through third-party payment options in the Netherlands, in compliance with a Dutch regulatory ruling. In an update on its developer support site, Apple said it would collect 27% commission instead of its usual 30% on transactions made in dating apps that use alternative payment methods. Apple says the decreased...

Popular Stories

macbook air m2

Exclusive: Apple Plans to Launch MacBook Air With M2 Chip on July 15

Wednesday June 29, 2022 5:23 pm PDT by
The redesigned MacBook Air with the all-new M2 Apple silicon chip will be available for customers starting Friday, July 15, MacRumors has learned from a retail source. The new MacBook Air was announced and previewed during WWDC earlier this month, with Apple stating availability will begin in July. The MacBook Air features a redesigned body that is thinner and lighter than the previous...
Mac Studio IO

Apple Begins Selling Refurbished Mac Studio Models

Thursday June 30, 2022 7:42 pm PDT by
Apple today began selling refurbished Mac Studio models for the first time in the United States, Canada, and select European countries, such as Belgium, Germany, Ireland, Spain, Switzerland, the Netherlands, and the United Kingdom. In the United States, two refurbished Mac Studio configurations are currently available, including one with the M1 Max chip (10-core CPU and 24-core GPU) for...
top stories 2jul2022

Top Stories: M2 MacBook Air Release Date, New HomePod Rumor, and More

Saturday July 2, 2022 6:00 am PDT by
The M2 MacBook Pro has started making its way into customers' hands and we're learning more about how it performs in a variety of situations, but all eyes are really on the upcoming M2 MacBook Air which has seen a complete redesign and should be arriving in a couple of weeks. Other top stories this week included a host of product rumors including additional M2 and even M3 Macs, an updated...
original iphone 2007

15 Years Ago Today, the iPhone Went On Sale

Wednesday June 29, 2022 4:43 am PDT by
Fifteen years ago to this day, the iPhone, the revolutionary device presented to the world by the late Steve Jobs, officially went on sale. The first iPhone was announced by Steve Jobs on January 9, 2007, and went on sale on June 29, 2007. "An iPod, a phone, an internet mobile communicator... these are not three separate devices," Jobs famously said. "Today, Apple is going to reinvent the...
rootbug

Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]

Tuesday November 28, 2017 12:33 pm PST by
There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check. The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login...