Academic researchers discovered a technique to make illegal Apple Pay payments on a locked iPhone with a Visa card in the digital wallet set to express mode. It is similar to digital pickpocketing. There is no transaction limit, and it works over the air even if the iPhone is in a bag or someone’s pocket.
Researchers from Birmingham University and the University of Surrey in the United Kingdom investigated relay attacks on contactless payments. They discovered that under certain circumstances, iPhone devices authenticate transactions.
iPhone users must first approve it by unlocking the phone using Face ID, Touch ID, or passcode to make a payment. However, unlocking the smartphone might make the payment procedure more difficult for the user in specific situations, such as paying for public conveyance. Apple Pay addressed this with Express Transit, a feature that allows a transaction to be completed without the device being unlocked. Express Transit uses card readers that send a non-standard sequence of bytes to avoid the Apple Pay lock screen for specialized services like ticket gates.
When combined with a Visa card, this functionality may be abused to bypass Apple Pay’s lock screen and pay from a locked iPhone, using a Visa card, to any EMV reader, for any amount, without the user’s permission.
The researchers clarify that for allowing offline data authentication for online transactions in readers with intermittent connectivity, certain flags must be changed by altering certain bits (e.g., transit system entries). When the researchers dug deeper into the problem, they realized Card Transaction Qualifiers (CTQ) that control contactless transaction limitations could be changed.
Only the iPhone and Visa cards were successful in the testing. A check is made with Mastercard to ensure that a locked iPhone accepts transactions only from card readers with a transit merchant code.
The findings of this study were provided to Apple and Visa in October 2020 and May 2021, respectively. However, neither company was able to resolve the issue. Instead, the two firms shared the cost of a repair. Thus, the vulnerability remains unaddressed and exploitable using off-the-shelf hardware and software.
The discovery is detailed in a paper titled “Practical EMV Relay Protection,” which will be presented at the IEEE Symposium on Security and Privacy in 2022.