Apple Pay: An Express Mode Flaw with Visa Cards | iGeneration

A flaw in Apple Pay allowing unauthorized contactless payments has been spotted by UK academics. It concerns the Express mode which is used in public transport. The payment card does not need authentication (with Face ID, Touch ID or a code) which allows you to quickly validate your journey by bringing the phone or watch to the reader, as with a normal card. The researchers managed to abuse this system "by making an iPhone believe that it was talking to a public transport portal", reports ZDNet.

The problem only affects Visa cards configured in this express mode. It is linked to the use of a unique code (“Magic bytes”) intended to unlock Apple Pay which is distributed by the gates of the various public transport companies. The fraud consists of using radio equipment to make the iPhone believe that it is communicating with one of these gates. Behind, an Android phone embeds a specific app to redirect the signal to a payment terminal. The iPhone thinks it has to do with a gate, it does not need to be unlocked and the payment is validated without the user's knowledge.

A more detailed video is available here showing a £1,000 payment being wrongly made. The phone model does not change, the experiment having been carried out with an iPhone 7 and an iPhone 12, the security flaw is linked to the Visa payment network. Visa and Apple have been aware of the problem for several months and the two companies have recognized the flaw, but have not corrected it to date.

Apple blames Visa, which defends itself by explaining that various contactless fraud schemes have been studied in the laboratory for "more than a decade" without necessarily being feasible in practice. The researchers deplore that neither of the two companies takes responsibility (even partial) for the problem and has released a patch. Visa reminds, however, that if such a payment occurs, customers remain protected by its liability policy.

ZDNet observes that while this attack may be scary, it is not really applicable on a large scale. Security researchers have tested several combinations and only Visa cards configured for express payment in Apple Pay are affected, this is not the case for Mastercard or American Express cards. They also tested with Samsung Pay, without success.