Visa has hit back after cybersecurity (opens in new tab) researchers claimed possible security issues in its payment mechanisms, specifically concerning Apple Pay, could allow criminals to make fraudulent contactless mobile payments (opens in new tab).
Rresearchers from University of Birmingham and University of Surrey used a locked iPhone (opens in new tab) to make a payment via NFC exploiting an Apple Pay (opens in new tab) feature called Express Transit (opens in new tab) that’s designed to work with Visa to help commuters pay quickly at ticket barriers.
However Visa said that its payments were secure, and that this type of attack couldn’t be replicated outside of the lab in the real-world.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
- Shield yourself with these best identity theft protection services (opens in new tab)
- We've put together a list of the best endpoint protection (opens in new tab) software
- These are the best malware removal (opens in new tab) software on the market
"Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence," Visa told TechRadar Pro in a statement.
"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."
Fooling the phone
The hack involves the use of a small commercially available piece of radio equipment, which is placed near the iPhone to trick it into believing it is dealing with a ticket barrier. At the same time an Android phone (opens in new tab) running a custom app developed by the researchers is used to relay signals from the iPhone to any contactless payment terminal.
Since the iPhone thinks it is paying a ticket barrier, it does so while still being locked. On the other end, the custom Android app modifies the iPhone’s communications with the payment terminal, which thinks the iPhone has been unlocked and the payment has been authorized legitimately.
In a video, the researchers successfully tricked an iPhone to make a Visa payment of a £1,000 payment without unlocking the phone or explicitly authorizing the payment
Importantly, the researchers share that the Android phone and payment terminal used in the hack don't need to be near the victim's iPhone.
"It can be on another continent from the iPhone as long as there's an internet connection," Dr Ioana Boureanu of the University of Surrey told the BBC.
Apple reportedly added that the matter was an issue with Visa’s payment system.
- Protect your devices with these best antivirus software (opens in new tab)
Via BBC (opens in new tab)