Researchers have discovered a flaw that allows Apple Pay invoices to be made from a locked iPhone, without the knowledge of the device’s owners.
This works even if the iPhone is in a pocket or backpack, and it also ignores the Apple Pay transaction limit.
Researchers at the University of Surrey in the UK, in research on proximity payments, found that iPhones verify transactions under certain conditions, such as password entry, Touch ID verification and Face ID.
Every day a summary of the main global technology news for you!
However, in some scenarios, such as payment by public shipping in European countries, the payment confirmation procedure becomes bulky for users. That’s why Apple has brought the “Express Public Transport” feature, which allows transactions to be made without the need for authentication.
Explicit public sending works for explicit services, such as London Underground turnstiles, which have payment devices that emit an explicit chain of knowledge designed to enable this Apple Pay feature.
According to the researchers, the Apple Pay Express mode of public transport, combined with a Visa card, can be used through criminals to make invoices known to users.
511336
The flaw is due to a vulnerability in the way Visa cards are used in conjunction with the Apple Pay Express public transport mode. When tested with MasterCard cards, the challenge is unlikely to occur due to additional verification performed through the card issuer’s systems. on the iPhone looking to complete the transaction.
If the vulnerability is exploited, the following steps are necessary:
During the demonstration of the vulnerability, the researchers made a payment of around $1,300 (about R$7 million, $1 million according to the existing quote) from the locked iPhone. The researchers also said that the cell phone and the Android payment terminal do not want to be nearby. to the victim’s iPhone for the flaw to be exploited, all that is needed is a connection.
The researchers claim to have sent the research report to Apple and Visa in October 2021 and May 2021, respectively, and both responded by attributing the vulnerability to the other.
The payments company, requested through the BleepingComputer website, released a statement stating that its cards that help Apple Pay’s express public transportation feature are secure and that their owners can continue to use them with confidence. a decade and they are still proving impractical for real-world use. Finally, the company wonders that if this failure affects a user, patients are protected through the insurance provided on their cards.
Apple has also published a report on the vulnerability, still for the BBC portal. The company founded through Steve Jobs told the news site that this flaw is the responsibility of the visa, but that the payments company does not believe that this type of scam is viable for the real world. Apple concludes, along with Visa, by stating that, in the small option of fraud like this occurring to a user, cardholders are protected through corporate monetary insurance.
Source: BBC, Bleeping Computer, iMore, MacRumors
Did you like this article?
Subscribe to your email on Canaltech for updates with the latest news from the tech world.
2021 2021