by Nigel Rizzo
Researchers have found a security flaw in Apple Pay with a Visa card in the digital wallet. The digital version of pick-pocketing works over the air even when the iPhone is locked. Although the new setting ‘express transit’ allows millions of people to pay without a card, it makes it easier for hackers to steal from your phone. The iPhone could be in a bag or in someone’s pocket and be charged without the owner’s consent and there is no transaction limit.
An experiment was held by a couple of researchers from Universities of Birmingham and Surrey to find the threat with Apple Pay. The researchers conducted a few cases where they identified a flaw in the Apple Pay lock screen and charged the card to as much as £1000 per transactions, without the owner’s knowledge or authorization.
The equipment that were used to exploit the flaw was an iPhone, an NFC-enabled Android phone, a standard EMV reader payment terminal, and a laptop that must be connected to a Proxmark radio-frequency identification (RFID) scanner. The Android phone is used as a card imitator to transmit information to the payment terminal. In the meantime, the Proxmark device, associated with the laptop, reads the card imitator to communicate with the possible victim’s iPhone, which leads to act as a real transaction with a valid transport EMV reader. In addition, the payment terminal believes that the victim had allowed the transaction either by biometric or PIN verification, which authorises the transaction to go through.
Both Visa and Apple have been notified about the issue, neither company have taken any responsibility of this flaw, which signifies that it remains a risk. The researchers that found out the flaw have stated that both companies, Apple and Visa, have the efficient capability to mitigate this attack on their own. Apple Pay users do not have to be in danger; however, until Apple or Visa fixes this flaw, the users are at risk. Therefore, in the meantime, one can lower their risk of being attacked by disabling their Visa card from their Apple wallet.
Source: ITPro
