Andreea-Ina Radu and Tom Chothia at Birmingham University and Ioana Boureanu, Christopher J.P. Newton, and Liqun Chen at Surrey University claim that the Apple Pay platform can be duped into ignoring payment limits on Visa (NYSE:V) transactions when the Visa cards are set up in “Express Transit mode”.
The mode is meant to make life easier for people tapping in and out on public transport systems; the computer whizz-kids at the two universities were able to identify a unique code broadcast by turnstiles that will unlock Apple Pay. The researchers found they were then able to use this code to interfere with the signals going between the iPhone and a shop card reader.
By broadcasting what the researchers nicknamed “the magic bytes” and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a turnstile, whereas actually, it was talking to a shop reader.
Apple, which takes a much more totalitarian approach to controlling every part of its ecosystem than other operating system controllers such as Google and Microsoft, was informed of the vulnerability by the researchers back in October 2020 according to technology website The Register, while Visa was informed of the flaw in May 2021.
“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said Dr Andreea Radu, who led the research.
“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely,” she added.
Dr Tom Chothia, one of the study’s authors, advised iPhone users to check if they have a Visa card set up for transit payments and if so to disable it.
“There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are,” he advised.