A recent study has reportedly unveiled a new, potentially severe lapse in Apple Pay security. According to the researchers from Birmingham and Surrey Universities, large unauthorized contactless payments can be made through locked iPhones by exploiting how an Apple Pay feature, that allows commuters to make quick payments at ticket barriers, functions with Visa.
The researchers have reportedly demonstrated this in a video that showed a contactless Visa payment of £1,000 (USD 1343.64) being made without unlocking the iPhone.
Speaking on the matter, Apple Inc., stated that it is a concern with a Visa system.
While on the other hand, Visa has stated that the payments were secure, and hacks of this sort are impractical outside a lab.
However, the researchers mentioned that the problem applies to Visa cards that are set up in 'Express Transit' mode in the iPhone's wallet.
For the uninitiated, Express Transit is an Apple Pay feature that allows commuters to make faster contactless payments without having to unlock their phone.
As a part of the demonstration, the scientists reportedly placed a tiny commercially available piece of radio equipment near the iPhone, which dupes it into believing that it is dealing with a ticket barrier. At the same time an Android phone using an app developed by the researchers relays the signals from iPhone to a contactless payment terminal. The terminal can be in a shop or can be the one controlled by the criminals.
The iPhone's communications with the payment terminal are manipulated to make it look like the iPhone has been unlocked and the payment is authorized. This can enable high-value transactions without entering a PIN, Face ID, or fingerprint.
Commenting on the new finding, Visa stated that it took all security issues seriously. However, Visa cards that are connected to Express Transit are safe, and users can continue using the cards confidently.
Apple put out an official statement that said the company takes any security threat to its users' security very seriously. Adding that the demonstrated payment exploit is of concern with the Visa system, which Visa has deemed unlikely to be reproduced in real-world settings considering the multiple levels of security that is currently in place.
Source credit: https://www.bbc.com/news/technology-58719891