Cybersecurity researchers have disclosed an unpatched flaw in Apple Pay that attackers could abuse to make an unauthorized Visa payment with a locked iPhone by taking advantage of the Express Travel mode set up in the device’s wallet.
“An attacker only needs a stolen, powered on iPhone. The transactions could also be relayed from an iPhone inside someone’s bag, without their knowledge,” a group of academics from the University of Birmingham and University of Surrey said. “The attacker needs no assistance from the merchant and backend fraud detection checks have not stopped any of our test payments.”
Express Travel is a feature that allows users of iPhone and Apple Watch to make quick contactless payments for public transit without having to wake or unlock the device, open an app, or even validate with Face ID, Touch ID or a passcode.
The man-in-the-middle (MitM) replay and relay attack, which involves bypassing the lock screen to make a payment to any EMV reader illicitly, is made possible due to a combination of flaws in both Apple Pay and Visa’s system, and doesn’t impact, say, Mastercard on Apple Pay or Visa cards on Samsung Pay.
The modus operandi hinges on mimicking a…