News

Researchers can make Visa payments via Apple Pay without unlocking

By admin
Spread the love

British researchers have found a way to make payments via Apple Pay while the phone is locked. This is possible with Visa cards if a user has Express mode on. The researchers can bypass the signal.

The researchers from the universities of Birmingham and Surrey describe in a paper how they can make a payment with an iPhone without using authentication via Face ID or Touch ID. This is only possible if the Apple Wallet is set to Express mode. That is a mode that in some cases allows users not to have to unlock their phone to make a payment or scan a card. Express mode works for a number of cards, such as public transport cards on the London Underground. Travelers do not have to unlock their phone there before walking through an entrance gate, because that entrance gate automatically recognizes the type of card on the phone.

In the study, the scientists were able to simulate communication between the iPhone and a card reader with a man-in-the-middle attack. They do this by intercepting the so-called Magic Bytes string and sending it to a victim’s iPhone via their own device. Magic Bytes is what Apple calls the flow of communication between an EMV card reader and an iPhone. This makes the iPhone think that it makes contact with a card reader within an authorized card reader that is used in public transport, but that could also be a card reader of the hackers.

The researchers were then able to adjust the Card Transaction Qualifiers, which are intended to put a limit on the number of transactions that can be performed, and the amount thereof. In practice, the researchers managed to extract a transaction worth a thousand pounds from a telephone. That happened on an iPhone 7, but also a more recent iPhone 12.

The attack only works with Visa cards in the Apple Wallet. Mastercard cards have one more control mechanism. That prevents an iPhone from accepting such transactions from any card reader. In addition to a Magic Bytes string, a terminal also has to send a specific code that verifies that it is an authorized device, but that did not happen.

According to the researchers, the problem lies with the lack of verification at Apple in combination with a lack of checks at Visa. For example, with Samsung Pay, a Visa card is verified. The researchers say they have passed on their findings to both Apple and Visa. However, both companies refer to each other and have not offered a solution to the problem in recent months.

You might also like
News

App Store comes with a new update – and it is very nice!

News

WatchOS 11 is out: This update makes your heart beat faster

News

iOS 18 Support: Can you still update your iPhone?

News

Apple has been working on its own search engine for years. It’s called…

News

Rumor: Apple is working on its own applications based on a large language model

News

Netflix is ​​also discontinuing the Basic subscription in the US and UK

Exit mobile version