Unaddressed Apple Pay, Visa contactless card exploit could part you with your funds

A new way to siphon funds out of Visa cards enrolled into Apple Pay has been recently discovered by a group of researchers from the Computer Science departments of Birmingham and Surrey Universities. As demonstrated in an unreleased video before the BBC, the hack exploits the Wallet app's Express Transit feature, which allows users to make quick contactless payments without unlocking their phones with Face ID. Express Transit is most useful to commuters, especially in the London Underground.

In the demonstration video, the researchers successfully used a relay attack powered by an Android device and a common piece of radio equipment to 'steal' £1000 from their accounts.

Here's how the hack reportedly works, with certain key details deliberately omitted for the sake of security: a certain piece of radio equipment is tricking the iPhone that it's a ticket barrier, while an Android phone with a certain app is relaying signals between the iPhone and a contactless payment terminal. The iPhone is hence fooled that it's communicating with a real ticket barrier and the payment could be authorized without employing PIN or biometric authorization, so the funds are transferred to the folly payment terminal.

The researchers reveal that the hack doesn't require the Android device or the contactless payment terminal to be near the iPhone-toting victim, as only the tiny piece of equipment is required to fool the device and withdraw the funds. "It can be on another continent from the iPhone as long as there's an internet connection", co-researcher Dr Ioana Boureanu of the University of Surrey revealed.

There's a silver lining, though: so far, the hack has only been replicated in-house and there are no reports of it ever being used by wrongdoers in real-life conditions, which should give you a peace of mind, especially if you're using a Visa card to quickly pay at contactless terminals. Other researchers, not involved with the original research, warn that the hack could be used to quickly and effortlessly withdraw vast sums of money from stolen devices that are otherwise locked with a PIN code, fingerprint, or Face ID.

According to the researchers, this particular hack only works with Visa cards and doesn't seem to affect the Mastercard ecosystem, which has enhanced layers of security. The flaw was discovered more than a year ago, and while fruitful talks have been taking place with Visa, the exploit is yet to be fixed as Visa reportedly deems this issue "impractical" to pull off in real life.

The company says that "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world". Apple has also taken a stance, revealing that "this is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place".

What can you do to prevent yourself from potentially having your funds drained out of your Visa card? Dr Tom Chothia of the Birmingham University urges iPhone users to see if they have set up a Visa card for contactless transit payments and disable Express transit to attain a peace of mind. This way, you will have to authorize every payment with your PIN code, fingerprint, or facial data.

While the chances of such an attack taking place are relatively low due to the complexity of the hack, there's always a chance. Dr Andreea Radu of the Birmingham University, who led the research, warns that in spite of the technical complications, such elaborate financial exploits could be much more prevalent in a few years' time, especially if left unaddressed by the respective banking institutions.