Experts found that large unauthorized transactions can be made through locked iPhones.
Researchers have announced that it is possible to make large unauthorized contactless payments on Apple Pay on locked iPhones by exploiting the way the mobile wallet is designed to boost convenience at ticket barriers using a Visa card.
The researchers recorded a video that demonstrated how an unauthorized contactless £1,000 payment could be made.
The Computer Science departments of Birmingham and Surrey Universities researchers’ video showed that the Apple Pay transaction of £1,000 was made with zero-contact and from a locked iPhone.
Upon the initial release of the video, Apple stated that the matter was “a concern with a Visa system”.
On the other hand, Visa said that its payments were secure and that this type of hack may be possible inside a lab but would be impractical in reality.
According to the researchers, the issue has to do with the way Visa cards are set up in the iPhone wallet app’s “Express Transit” mode. That is a feature of the app that makes it possible for commuters to rapidly make contactless payments without having to first unlock their phones. For instance, they could use this feature at a London underground ticket barrier to touch in and touch out.
The researchers said that this was a weakness in the way the Visa system works with the Apple Pay feature.
In the researcher demonstration, the money was taken from their own accounts. While it would be impractical for a hacker to use the vulnerability in the way the researchers did in order to demonstrate the unauthorized access they could gain to payments from the mobile wallet on a locked device, it is not outside of the realm of possibility that it could somehow be applied in real life by an ambitious criminal.
The reason is that the Apple Pay hack was done without unlocking the device or authorizing the payment. Moreover, the payment terminal doesn’t need to be near the victim’s phone. “It can be on another continent from the iPhone as long as there’s an internet connection,” said Dr. Ioana Boureanu from the University of Surrey.