An unpatched flaw in Apple Pay has been disclosed by Cybersecurity researchers giving attackers the ability to make an unauthorized Visa payment with a locked iPhone via the Express Travel mode setup in the device’s wallet. All that is needed is the mobile phone to be on and also transactions could be relayed from an iPhone inside someone’s bag without the phone owners knowledge. No assistance whatsoever is needed from the merchant and backend fraud detection checks have not stopped any test payments made thus far by the researchers.

Express Travel feature allows users of iPhone and Apple Watch to make quick contactless payments for pubblic transit without the need to unlock the phone, validate Face ID or a passcode. This is a classical example of a man-in-the-middle (MitM) replay and relay attack involving bypassing the lock screen to make payment to any EMV reader illicitly and this is possible due to a combination of flaws in both Apple Pay and Visa’s system however it does not impact Mastercard on Apple Pay or Visa cards on Samsung Pay.

The success of this attack is hinged on imitating a transit gate transaction by using a Proxmark device that acts as an EMV card reader communicating with a victim’s iPhone and an NFC-enabled Android app that functions as a card emulator to relay signals to a payment terminal.
Specifically, it takes advantage of a unique code — aka Magic Bytes — broadcast by the transit gates to unlock Apple Pay, resulting in a scenario whereby replaying the sequence of bytes, the Apple device is deceived into authorizing a rogue transaction as if it’s originated from the ticket barrier, when, in reality, it’s been triggered via a contactless payment terminal under the attacker’s control.

The EMV reader is simultaneously tricked into believing that on-device user authentication has been performed thereby enabling payments of any amount to be made without the iPhone user’s knowledge.

This vulnerability was made known to Apple and Visa in October 2020 and May 2021, respectively, the researchers said, adding, “both parties acknowledge the seriousness of the vulnerability, but have not come to an agreement on which party should implement a fix.”

In a statement shared with the BBC, Visa said this type of attack was “impractical,” adding, “Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.”

Visa in a statement shared with BBC said this type of attack was “impractical”, adding, “Variations of contactless fraud schemes have been studied in laboratory settings more than a decade and it has been proven to be impractical to execute at scale in the real world.”

“This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place,” an Apple spokesperson was quoted as saying to the U.K. national broadcaster.

However reseachers at SLYTECH opine that there is no such thing as an impractical vulnerability as a vulnerability remains what it is i.e a flaw sitting in wait for the right threat actors to take huge advantage of and cause a greater damage.



Source:https://slytech.org/2021/10/02/a-current-flaw-in-apple-pay-is-enabling-unauthorized-contactless-payments/