Researchers at the University of Birmingham and the University of Surrey have shown that cybercriminals can make fraudulent purchases by bypassing the Apple Pay lock screen of an iPhone. They can also hijack contactless payment limits.
Cybercriminals can make contactless payments without unlocking smartphones, according to a study by researchers at the University of Birmingham and Surrey. These “hackers” can bypass the Apple Pay lock screen of the iPhone, as the device’s wallet includes a Visa card configured in “Passage” mode. Thus, they will have complete freedom to make fraudulent purchases. These attackers can, at the same time, bypass contactless and make unlimited transactions, even with a locked iPhone.
A smartphone user, to make a payment via an application, for example, must scan their fingerprint or face ID, or enter their PIN to authenticate the transaction, which reduces the risk of attacks. To “make it easier to pay at transit ticket checkpoints,” Apple implemented Express Transit/Travel, which allows you to use Apple Pay without unlocking the phone, in 2019.
“We show that this feature can be exploited to bypass the Apple Pay lock screen, and illegally pay from a locked iPhone, using a Visa card, to any EMV reader, for any amount, without the user’s permission,” the researchers said at the time in a research article.
“The attack works”
To do this hack, iPhone must have a Visa card configured for payment with Express Travel Mode enabled. The victim should not be far away even if their phone is in their luggage. “The attack works by first restarting the Magic Bytes on the iPhone, so that it thinks the transaction is done using the EMV reader for transmission. Then, when sending EMV messages, the Transaction Qualifier (TTQ) station, which is sent by the EMV station, must be changed so that The bits for Offline Data Authentication (ODA), Online Licenses, and EMV Mode are enabled.”
The contactless payment limit can also be abused, due to the Card Transaction Qualifications (CTQ) adjustment. “This is to trick the EMV reader into believing that user authentication to the device has been performed (eg, by fingerprint). The CTQ value appears in two messages sent by the iPhone and should be modified in both cases.” Thus, during the test, the researchers were able to make a deal worth 1,000 pounds, or approximately 1,180 euros.
