In a demonstration video seen by BBC News, security researchers have shown how they were able to make a Visa payment of £1,000 using Apple Pay without unlocking the iPhone or authorizing the payment.
According to the researchers, the flaw applies to Visa cards set up in ‘Express Transit’ mode in an iPhone’s wallet. For those who aren’t familiar, Express Transit is an Apple Pay feature that enables commuters to make quick contactless payments without unlocking their phone.
In a statement to the publication, Apple has said the matter was “a concern with a Visa system.” Meanwhile, Visa said payments were secure and attacks of this type were impractical outside of a lab.
In demonstrating the attack, the scientists only took money from their own accounts.
A small commercially available piece of radio equipment is placed near the iPhone, which tricks it into believing it is dealing with a ticket barrier.
At the same time, an Android phone running an application developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal. Because the iPhone thinks it is paying a ticket barrier, it doesn’t need to be unlocked.
The researchers say the Android phone and payment terminal used do not even need to be near the victim’s iPhone. “It can be on another continent from the iPhone as long as there’s an internet connection.”
The researchers say they first approached Apple and Visa with their concerns almost a year ago, but the problem has not yet been fixed.
