An expert from Positive Technologies spoke about the vulnerabilities of mobile payment systems.
Positive Technologies expert Timur Yunusov spoke at the Black Hat Europe computer security conference in London , where he presented details of a study of the vulnerabilities of Apple Pay, Samsung Pay and Google Pay mobile payment systems.
The vulnerabilities discovered allow stolen smartphones to be used for unlimited purchases, on which modes of payment for public transport have been activated, which do not require unlocking the devices. Until June 2021, purchases could be made at any POS trade terminals, and not only in public transport. On Apple iPhone, payment is available even with discharged smartphones.
Until 2019, Apple Pay and Samsung Pay did not allow payments unless the phone was unlocked with a fingerprint, face ID, or PIN. Now there is such an opportunity, and it is called public transport schemes ("modes of payment in public transport" or Apple's Express Transit Card mode ). Between April 28 and May 25, 2019, more than 48.38 million train rides were paid in London alone using contactless methods such as cards and mobile wallets. In 2018, New York City subway passengers used contactless payments 3.37 billion times.
“One of the advantages of transport modes in smartphones is ease of use, ” explains Timur Yunusov. - After you have linked your bank card (Visa, MasterCard, or, for example, American Express) to your smartphone and activated it as a transport card, you can pay for travel on the metro or on the bus without unlocking the device. This function is available, for example, in the USA, UK, China, Japan. To carry out the attack, Samsung Pay and Apple Pay smartphones must be registered in these countries, but the cards can be from any other region. Stolen phones can also be used in any region. You can do the same with Google Pay."
In the course of the experiments, the researchers consistently increased the one-time write-off, stopping at £ 101. However, banks most often do not impose additional restrictions and checks when making payments using Apple Pay and Samsung Pay, considering these mobile payment systems to be quite secure (one example), so the amount charged can be much higher.
As the Positive Technologies expert notes, even the latest Apple iPhones, including discharged ones, allowed researchers to make payments at any POS terminals. To do this, you needed a Visa card connected to your smartphone (with activated express transport card mode) and a positive balance on the account. Due to the absence at the time of the study of mandatory offline authentication (ODA Offline Data Authentication), a stolen phone with a connected Visa card and activated transport mode, according to Timur Yunusov, you can use literally anywhere in the world, at various POS terminals, as on Apple Pay and Google Pay, no amount limits.
As for MasterCard cards, Positive Technologies specialists were able to reproduce similar actions, taking advantage of a shortcoming discovered earlier by experts from ETH Zurich. The flaw was later rectified. At the moment, in order to make payments on stolen phones with attached MasterCard and American Express cards, attackers will need access to special modified POS terminals.
In his speech, Timur Yunusov gave recommendations to developers of payment systems and mobile wallets that will help them better fight against fraud associated with loss and theft of smartphones. Issues identified include Apple Pay authentication and field validation issues, confusion in AAC / ARQC cryptograms, lack of amount field validation for public transport schemes, and lack of MCC field integrity checks (applies to all three payment systems and wallets), Google Pay payments above limits NoCVM, etc.
Positive Technologies is guided by the principles of responsible disclosure (Responsible disclosure): All the information we have to identify vulnerable we are primarily provided by the manufacturer. If we do not receive a written response from the manufacturer within 90 days, we reserve the right to publicly publish our findings in a limited format, without mentioning information that would allow third parties to exploit the vulnerability.
Apple, Google, Samsung were notified by us in March, January and April 2021, respectively. The specialists of these companies said that they were not going to make any changes to their systems, but asked for permission to share the findings and reports with payment systems, assuring us that they would notify them. This consent was given from our side, but the representatives of the payment systems did not get in touch. Positive Technologies researchers, for their part, tried to contact technical specialists from Visa and Mastercard, but received no response from them, while at the end of September, some of our findings were repeated and published by another team of researchers from the universities of Birmingham and Surrey.
In 2017, Positive Technologies experts discovered security issues with Apple Pay on smartphones, which could (and still lead) to the possibility of making fraudulent payments using the Apple Pay payment function on websites. In 2019, Lee-Anne Galloway and Timur Yunusov also identified the possibility of bypassing the contactless payment limit for Visa cards and Google Pay mobile wallets with Visa cards. Positive Technologies talked about vulnerabilities in POS terminals Verifone, Ingenico and PAX, some of which can be exploited remotely, in 2020 and 2021.
Positive Technologies expert Timur Yunusov spoke at the Black Hat Europe computer security conference in London , where he presented details of a study of the vulnerabilities of Apple Pay, Samsung Pay and Google Pay mobile payment systems.
The vulnerabilities discovered allow stolen smartphones to be used for unlimited purchases, on which modes of payment for public transport have been activated, which do not require unlocking the devices. Until June 2021, purchases could be made at any POS trade terminals, and not only in public transport. On Apple iPhone, payment is available even with discharged smartphones.
Until 2019, Apple Pay and Samsung Pay did not allow payments unless the phone was unlocked with a fingerprint, face ID, or PIN. Now there is such an opportunity, and it is called public transport schemes ("modes of payment in public transport" or Apple's Express Transit Card mode ). Between April 28 and May 25, 2019, more than 48.38 million train rides were paid in London alone using contactless methods such as cards and mobile wallets. In 2018, New York City subway passengers used contactless payments 3.37 billion times.
“One of the advantages of transport modes in smartphones is ease of use, ” explains Timur Yunusov. - After you have linked your bank card (Visa, MasterCard, or, for example, American Express) to your smartphone and activated it as a transport card, you can pay for travel on the metro or on the bus without unlocking the device. This function is available, for example, in the USA, UK, China, Japan. To carry out the attack, Samsung Pay and Apple Pay smartphones must be registered in these countries, but the cards can be from any other region. Stolen phones can also be used in any region. You can do the same with Google Pay."
In the course of the experiments, the researchers consistently increased the one-time write-off, stopping at £ 101. However, banks most often do not impose additional restrictions and checks when making payments using Apple Pay and Samsung Pay, considering these mobile payment systems to be quite secure (one example), so the amount charged can be much higher.
As the Positive Technologies expert notes, even the latest Apple iPhones, including discharged ones, allowed researchers to make payments at any POS terminals. To do this, you needed a Visa card connected to your smartphone (with activated express transport card mode) and a positive balance on the account. Due to the absence at the time of the study of mandatory offline authentication (ODA Offline Data Authentication), a stolen phone with a connected Visa card and activated transport mode, according to Timur Yunusov, you can use literally anywhere in the world, at various POS terminals, as on Apple Pay and Google Pay, no amount limits.
As for MasterCard cards, Positive Technologies specialists were able to reproduce similar actions, taking advantage of a shortcoming discovered earlier by experts from ETH Zurich. The flaw was later rectified. At the moment, in order to make payments on stolen phones with attached MasterCard and American Express cards, attackers will need access to special modified POS terminals.
In his speech, Timur Yunusov gave recommendations to developers of payment systems and mobile wallets that will help them better fight against fraud associated with loss and theft of smartphones. Issues identified include Apple Pay authentication and field validation issues, confusion in AAC / ARQC cryptograms, lack of amount field validation for public transport schemes, and lack of MCC field integrity checks (applies to all three payment systems and wallets), Google Pay payments above limits NoCVM, etc.
Positive Technologies is guided by the principles of responsible disclosure (Responsible disclosure): All the information we have to identify vulnerable we are primarily provided by the manufacturer. If we do not receive a written response from the manufacturer within 90 days, we reserve the right to publicly publish our findings in a limited format, without mentioning information that would allow third parties to exploit the vulnerability.
Apple, Google, Samsung were notified by us in March, January and April 2021, respectively. The specialists of these companies said that they were not going to make any changes to their systems, but asked for permission to share the findings and reports with payment systems, assuring us that they would notify them. This consent was given from our side, but the representatives of the payment systems did not get in touch. Positive Technologies researchers, for their part, tried to contact technical specialists from Visa and Mastercard, but received no response from them, while at the end of September, some of our findings were repeated and published by another team of researchers from the universities of Birmingham and Surrey.
In 2017, Positive Technologies experts discovered security issues with Apple Pay on smartphones, which could (and still lead) to the possibility of making fraudulent payments using the Apple Pay payment function on websites. In 2019, Lee-Anne Galloway and Timur Yunusov also identified the possibility of bypassing the contactless payment limit for Visa cards and Google Pay mobile wallets with Visa cards. Positive Technologies talked about vulnerabilities in POS terminals Verifone, Ingenico and PAX, some of which can be exploited remotely, in 2020 and 2021.
