Security researchers from the Computer Science departments of Birmingham and Surrey Universities showed the BBC a video of a £1,000 contactless Visa payment from a locked iPhone. Apple has said that the flaw specifically targets Visa cards set up in Express Transit. The researchers who discovered the flaw agree with the assessment, saying it is an issue with how Visa systems work with the feature. Visa has since claimed that the systems are secure and that such an attack is impractical outside of a lab.
Flaw Discovered in Apple Pay, Visa Contactless Payments
The researchers demonstrated the attack to BBC journalists, where they made a Visa payment of £1,000 without unlocking the phone or authorizing the payment. The exploit follows a series of steps listed below, with some key details redacted for security reasons: The researchers also said that the Android device and payment terminal do not need to be close to the victim’s iPhone. According to Dr. Ioana Boureanu of the University of Surrey, “It can be on another continent from the iPhone as long as there’s an internet connection.” As of now, there is no evidence that the exploit has been used outside of a lab setting, but researchers believe that the attack would be easiest to deploy against a stolen iPhone. On the positive side, the researchers found other systems, such as Samsung Pay and Mastercard, were not vulnerable to the hack.
Visa Says Systems Secure, Attack Impractical Outside Lab
The researchers added that they approached both Apple and Visa a year ago. At the time, they had “useful” conversations, but the issue was not resolved. Apple stated that the concern pertains to a Visa system. “Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place,” it added.