Researchers at the University of Birmingham and the University of Surrey have shown that cybercriminals could make fraudulent purchases by bypassing the Apple Pay lock screen of an iPhone. They could also hijack the limits of contactless payment.
Cybercriminals could make contactless payments without unlocking smartphones, according to a study by researchers at the University of Birmingham and Surrey. These “hackers” could indeed bypass the Apple Pay lock screen of an iPhone, since the wallet of the device includes a Visa card configured in “transit” mode. Thus, they would have complete freedom to make fraudulent purchases. These attackers could, at the same time, bypass contactless and perform unlimited transactions, even with a locked iPhone.
The user of a smartphone, to make a payment via an application, must for example scan his fingerprint or Face ID, or enter his PIN code to authenticate the transaction, which reduces the risk of attacks. To “facilitate payment at transportation ticketing barrier stations,” Apple implemented the Express Transit / Travel feature, allowing you to use Apple Pay without unlocking the phone, in 2019.
“We show that this feature can be exploited to bypass Apple Pay’s lock screen, and pay illicitly from a locked iPhone, using a Visa card, to any EMV reader, for n ‘ any amount, without the user’s permission, “the researchers then explain in a research article.
“The attack works”
To do this hack, the iPhone must have a Visa card configured for payment with Express Travel mode enabled. The victim should not be far away, even if their phone is in their luggage. “The attack works by first replaying the Magic Bytes to the iPhone, so that it believes the transaction is taking place with a transport EMV reader. Then, when transmitting the EMV messages, the transaction qualifiers terminal (TTQ), sent by the EMV terminal, must be changed so that the bits for offline data authentication (ODA), online authorizations and EMV mode are enabled, ”the researchers say.
The limit of contactless payment could also be abused, because of a modification of the Card Transaction Qualifiers (CTQ). “This is to trick the EMV reader into believing that the user authentication on the device has been performed (for example, by fingerprint). The value CTQ appears in two messages sent by the iPhone and should be modified in both occurrences “. Thus, during their test, the researchers were able to carry out a transaction of 1,000 pounds, or approximately 1,180 euros.