Experts say they were able to bypass the iPhone’s lock screen to make unlimited contactless payments from a Visa card set up for public transport (Kirsty O’Connor/PA)
Experts say they were able to bypass the iPhone’s lock screen to make unlimited contactless payments from a Visa card set up for public transport (Kirsty O’Connor/PA)

Remove Visa from Apple Pay travel card feature due to dangerous flaw, experts say

Researchers say they were able to bypass the iPhone’s lock screen to make unlimited contactless payments from a Visa card set up for public transport.

Jamie Harris
Thursday 30 September 2021 09:15

Researchers have urged iPhone users to remove Visa as a transport card via Apple Pay after uncovering a flaw which they say fraudsters could use to bypass security and make unlimited contactless payments.

Experts from the University of Birmingham and the University of Surrey warned the issue could be exploited to make transactions from an iPhone inside someone’s bag, without their knowledge.

They claim the vulnerability only happens on Apple Pay when a Visa card is set up as an Express Travel Card, also known as Express Transit mode – a feature intended for owners to tap in and out of public transport without needing to unlock their phone.

Using simple radio equipment, the team were able to trick the iPhone into thinking it was communicating with a transit gate when it was actually a payment reader used by shops, known among cyber experts as a “man-in-the-middle” attack.

There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this they are

Dr Tom Chothia, University of Birmingham

This was done by identifying a unique code broadcast by transit gates or turnstiles, which was then used to interfere with the signals between the iPhone and a shop card reader.

“iPhone owners should check if they have a Visa card set up for transit payments and if so they should disable it,” said Dr Tom Chothia, co-author of the study, from the University of Birmingham.

“There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this they are.”

Back-end fraud detection checks were also unable to stop any payments going through in tests carried out by the group.

Researchers said they shared details of the problem with Apple and Visa, claiming both companies acknowledged the seriousness of the vulnerability but have not come to an agreement on who should implement a fix.

Visa responded by saying its cards are secure with the feature, and that cardholders should continue to use them “with confidence”.

“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world,” a spokeswoman said.

“Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”

An Apple spokesperson said: “We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.

“In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”

Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely

Dr Andreea Radu, University of Birmingham

“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said University of Birmingham’s Dr Andreea Radu, who led the study.

“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”

The weakness does not affect other combinations, such as Mastercard in iPhones or Visa on Samsung Pay

Full results of the study will be presented in a paper at the 2022 IEEE Symposium on Security and Privacy.

Co-author Dr Ioana Boureanu, from the University of Surrey, added: “We show how a usability feature in contactless mobile payments can lower security.

“But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure.

“Apple Pay users should not have to trade-off security for usability, but at the moment some of them do.”

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in