iPhone users urged to remove Visa from Apple Pay due to dangerous contactless payments flaw
Visa as a transport card via Apple Pay should be removed urgently by iPhone users after researchers said they uncovered a flaw that lets fraudsters bypass security and make unlimited contactless payments.
Thank you for reading this post, don't forget to subscribe!
The issue could be exploited to make transactions from an iPhone inside someone’s bag, without their knowledge, experts from the University of Birmingham and the University of Surrey warned today.
They claim the vulnerability only happens on Apple Pay when a Visa card is set up as an Express Travel Card, also known as Express Transit mode., a feature intended for owners to tap in and out of public transport without needing to unlock their phone.
Using simple radio equipment, the team were able to trick the iPhone into thinking it was communicating with a transit gate when it was actually a payment reader used by shops, known among cyber experts as a “man-in-the-middle” attack.
This was done by identifying a unique code broadcast by transit gates or turnstiles, which was then used to interfere with the signals between the iPhone and a shop card reader.
“iPhone owners should check if they have a Visa card set up for transit payments and if so they should disable it,” said Dr Tom Chothia, co-author of the study, from the University of Birmingham.
“There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this, they are.”
Back-end fraud detection checks were also unable to stop any payments going through in tests carried out by the group.
Researchers said they shared details of the problem with Apple and Visa, claiming both companies acknowledged the seriousness of the vulnerability but have not come to an agreement on who should implement a fix.
Response from Visa
Visa responded by saying its cards are secure with the feature, and that cardholders should continue to use them “with confidence”.
“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world,” a spokeswoman said.
“Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”
To read the rest of the article, click here.