Home Cyber Attack Researchers Discover How Hackers Were Stealing Money Via Apple Pay From iPhones

Researchers Discover How Hackers Were Stealing Money Via Apple Pay From iPhones

by Abeerah Hashim
steal money via Apple Pay VISA

Researchers have discovered a way that allows an adversary to steal money from Apple Pay accounts of target iPhones. All it takes is to exploit the underlying weaknesses in how VISA card is set on an iPhone’s Apple Pay. This method works even for locked devices at a distance, e.g. a locked iPhone in someone’s bag.

A Sophisticated Attack To Steal Money Via Apple Pay

A team of academic researchers has found how an adversary can steal money from target iPhones by exploiting Apple Pay.

Specifically, they have found vulnerabilities in how VISA card is set up in Apple Pay for EMV contactless transactions. While these EMV relay attacks are possible theoretically, Samsung already applies a mitigative strategy.

Apple also implements biometric authentication methods (Face ID or fingerprint) for successful payments via Apple Pay. However, bypassing these security checks remains possible due to the underlying vulnerabilities at VISA’s end (alongside Apple Pay). Nonetheless, such attacks do not affect Mastercard on Apple Pay.

How the attack works

The attack typically exploits the vulnerability in Apple Pay’s “Express Transit/Travel” feature. It facilitates making contactless payments to EMV readers at transport-ticketing barrier stations without unlocking the device.

In simple words, it works as Apple Pay recognizes “Magic Bytes’ (non-standard sequence of bytes) broadcast from the Transport for London (TfL) ticket-gate readers. These Magic Bytes can bypass the lock screen for swift transactions. As the researchers explained,

If a non-standard sequence of bytes (Magic Bytes) precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this a transaction with a transport EMV reader.

That’s what an adversary can exploit. This “MiTM replay and relay” attack requires the target iPhone have VISA card configured as the ‘transport card”. Then, using a card emulator, the adversary can target the iPhone in close proximity to make payments to a non-transport EMV reader.

It happens because the system allows transactions with transport EMV readers with intermittent connectivity (known as Offline Data Authentication (ODA)).

Describing the attack methodology, the researchers stated on the webpage,

The attack works by first replaying the Magic Bytes to the iPhone, such that it believes the transaction is happening with a transport EMV reader. Secondly, while relaying the EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, need to be modified such that the bits (flags) for Offline Data Authentication (ODA) for Online Authorizations supported and EMV mode supported are set…
To relay transactions over the contactless limit, the Card Transaction Qualifiers (CTQ), sent by the iPhone, need to be modified such that the bit (flag) for Consumer Device Cardholder Verification Method is set. This tricks the EMV reader into believing that on-device user authentication has been performed (e.g. by fingerprint).

The researchers have demonstrated the attack in this video.

Suggested Mitigations

Samsung also offers similar features for contactless EMV transactions via Samsung Pay. Also, it doesn’t employ Magic Bytes, hence always allowing transactions with locked Samsung phones. However, it implements “zero value payment” that makes transport (TfL) providers charge tickets using the data associated with these zero-value transactions.

As for the Apple Pay issue, the researchers have responsibly disclosed their findings to both Apple and VISA.  However, none of them has definitively fixed the issue yet. Hence, the vulnerability continues to exist.

Therefore, the researchers advise users to avoid setting up VISA as a transport card in Apple Pay as a workaround.

Nonetheless, VISA denies any real-time security risks to the users as it provided the following statement to Bleeping Computer,

Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem”

The team has shared a dedicated research paper on these findings that they will present at the IEEE Symposium on Security and Privacy 2022.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid