Researchers have found a way to conduct unauthorized payments using Apple Pay if the user has linked a Visa card. The danger is that you can pay for any product even with a locked iPhone.
According to the description of specialists, the revealed method is a digital version of the actions of a standard pickpocket thief. The method will work even if the victim's smartphone is in the bag, and there are no transaction limits. By studying attacks on contactless payments, experts from the universities of Birmingham and Surrey found that the iPhone confirms a transaction under certain conditions. For the payment to go through, smartphone owners must authenticate and unlock their iPhone in one of three ways: using Face ID, Touch ID, or a passcode. However, certain conditions - for example, paying for public transport - make this process unnecessarily cumbersome for the user. Therefore, the developers solved this problem in Apple Pay using the Express Transit feature, which allows you to conduct a transaction without having to unlock the device. Express Transit only works for certain services, such as ticket payments.
“In combination with a Visa card, this feature can be used to bypass a locked iPhone. In other words, the attacker can spend any amount from the victim's account without having to unlock the smartphone, ”the researchers explain . The experts themselves were able to make a kind of card reader out of the Proxmark device that interacted with the iPhone and Android device of the imaginary victim. According to the published infographics, the specialists' method works according to the Man-in-the-Middle principle.
Today, this vulnerability is still relevant, so Apple Pay users with Visa cards should definitely take this feature into account.
Researchers demonstrate stealing money via Apple Pay
This is "Researchers demonstrate stealing money via Apple Pay" by BleepingComputer.com on Vimeo, the home for high quality videos and the people who love…
vimeo.com
(c) https://www.anti-malware.ru/news/2021-09-30-111332/37068
