The latest risk is from unauthorised payments that can be made on locked iPhones. Attackers can bypass the iPhone lock screen to initiate a Visa transaction within Apple’s payments feature.
The issue was discovered by interfering with the Apple Pay feature, which was designed to help commuters pay quickly at ticket barriers with Visa.
What does this mean?
Researchers from the University of Birmingham and the University of Surrey discovered the security threat to Apple users. The vulnerability occurs if you add your Visa card to the ‘Express Transit Mode’ in an iPhone Wallet.
Express Transit Mode is designed to facilitate Apple Pay users (usually commuters) who want to make contactless payments without unlocking their phone, such as when they are passing through a railway or underground’s access turnstile.
The research explains that hackers could manipulate this system to perform contactless payments without having to unlock the screen first.
How did the researchers find this out?
The university’s researchers used off-the-shelf radio equipment to capture a unique code broadcast by the transit gates. This code, named by the researchers as ‘magic bytes,’ is what unlocks Apple Pay and authenticates close-proximity payments.
Researchers were able to use this code to fool the iPhone into thinking it was talking to a transit gate. By broadcasting the magic bytes and changing other fields in the protocol, a regular shop’s smart payment reader was tricked into believing that the iPhone had successfully been unlocked by user authorisation. By using this method, payments of any amount are able to be taken without the iPhone user’s knowledge.
Apple and Visa's responses raise concerns
Apple commented that “We take any threat to users’ security very seriously. This is a concern with a Visa system, but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.”
The researchers spoke extensively with Visa and Apple but felt that neither accepted responsibility for fixing the vulnerability with the two parties partially to blame. With cyber security weaknesses such as these left unfixed, the only way your e-commerce or online payment accepting business can reduce its risks is to have your online cybersecurity independently reviewed, tested, and protected.
If you don’t want to take any chances with your online security, contact us today, and we can get your business protected.