The Express Travel mode, however, does not require such authentication, allowing people to pay for public transport by simply tapping the phone against a terminal. It is used in the UK on Transport for London’s Oyster network and on the First Bus system, which operates in dozens of towns and cities.
The researchers were able to exploit this by imitating the signal from a public transport terminal so that the iPhone was ready to make the payment. A payments receiver is then “tricked” into accepting a transaction.
Unlike contactless cards, which cap payments at £45, there is no limit on Apple Pay transactions, meaning hackers could in theory drain a person’s bank account or their credit card limit, merely by stealing an iPhone, or surreptitiously holding a terminal up to a device in a bag or pocket. The researchers were able to make a £1,000 payment using a locked phone.
The flaw only works with Visa cards on the Apple Pay service. It does not work with Mastercard or American Express cards, which prevent such payments using an extra authentication process. Nor does it work with a similar public transport payments service on Samsung phones, even with Visa cards.
The iPhone’s Express Travel mode has to be connected to a particular card, and must be deliberately activated, so only those who have turned on the feature and connected it to a Visa card could be affected.
“Apple Pay users should not have to trade-off security for usability, but at the moment some of them do,” said Ioana Boureanu from the University of Surrey’s Centre for Cyber Security.
Andreea Radu, of the University of Birmingham’s School of Computer Science, said it was a “clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users”. She said the vulnerability was difficult to replicate, but that the high rewards meant criminals might be motivated to.
A Visa spokesperson said the discovery did not mean people were at risk. “Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence,” the company said.
“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”
Apple said: “We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”