A bypass bug was found in Visa and Apple Pay in making contactless payments

October 18, 2021
bypass bug vulnerability Visa Apple Pay contactless payments

A technique was discovered last Thursday by academic institutions from the UK which tackles a bypass bug issue relating to mobile security of Visa and Apple payment processes that can result in fake contactless payments. The said mobile security issue is reported to be capable of bypassing the lock screen of Apple’s iPhone to intrude the device’s payment services and commit fraudulent transactions. 

A research paper set for publication in 2022 discusses vulnerability in devices, which occurs when a Visa card is created in an iPhone’s wallet feature called the Express Transit mode. With the Express mode, commuters will quickly tap and pay on any access rail turnstile, which lessens the hassle of commuting. 

This issue is said to be only applicable to Visa and iPhone’s Apple Pay due to the use of a unique code called the “magic bytes.” This unique code is broadcasted by access rail turnstiles and transit gates in unlocking an iPhone’s Apple Pay. According to the researchers, a relay attack can be performed using standard radio equipment to trick an iPhone device into acquiring information in transacting to a transit gate. 

An iPhone device with a Visa transit card called Proxmark, an Android phone that is NFC-enabled to be the card emulator, and a payment terminal was used in an experiment to make payments using a device that is locked to an EMV or an intelligent payment reader. 

The attack is triggered once a target victim that holds the device is in close range. The “magic bytes” will be broadcasted and will modify a set of some other variables.   

This attack technique is considered unfeasible in the real world despite the experiment being an interesting concept. Security researchers have highlighted that authorization protocols are only an initial payment protection level. Financial firms must establish further guidelines in detecting and identifying suspicious activities in transactions and mobile fraud. Overall, Visa has a less than 0.1% of fraud level globally. 

 

The bypass bug issue regarding contactless payments remains unsettled despite the academics being able to approach and hear from Apple and Visa.

 

On October 23 last year, Apple was contacted by the academics, followed by Visa in January this year. A video call was conducted with Visa, and on May 10, 2021, a vulnerability report was sent to their platform. However, the issue remains unfixed. Analysts say that if the two related parties have partial blame for the problem, none of them will be willing to be responsible and conduct mitigation, leaving all affected users exposed to vulnerability. 

Moreover, a statement from Visa says that their cards linked to Apple Pay Express Transit are secured and that all cardholders remain safe to use it. They also added that they are working hard to fortify their security measures. 

About the author

Leave a Reply