Security researchers have discovered a major flaw in Express Transit on iPhone that allows hackers to steal money from a user’s Visa card. They say the problem can be easily fixed, but neither Apple or Visa seem interested.
The flaw makes it possible for iPhone’s contactless payment system, designed to make it easier and faster to pay for public transport, to be charged arbitrary transactions by a device that imitates a transport terminal.
Express Transit on iPhone has a major flaw
Express Transit on iPhone and Apple Watch requires no authentication, unlike using Apple Pay in a store or online. It cuts out this process to speed up the payment process so that users aren’t held up when catching trains, busses, and other services.
What’s more, Apple Pay also has no payment limit, unlike contactless credit and debit cards. So, by simply using a device that imitates a public transport terminal, hackers can charge an iPhone as much as they like in just a tap.
Researchers at the Universities of Surry and Birmingham were able to exploit this flaw to charge a payment of £1,000 (approx. $1,345) to one iPhone, despite it being locked at the time. But it only works with Visa cards.
Those who use a MasterCard or American Express card, which employ an additional authentication process, with Express Transit are considered safe.
Express Transit must be enabled
Express Transit transactions cannot be performed remotely — an attacker needs to be close to your device to take advantage of this flaw. But it’s possible that a rogue payment terminal could be hidden inside a bag and then brushed up against a user’s iPhone while it’s inside their pocket.
Express Transit is an optional feature that must be enabled manually, so your device is only vulnerable if you have it activated and linked to a Visa card. But what’s worrying is that neither Apple or Visa seem willing to find a fix.
Apple blames the problem on Visa and told The Telegraph that “Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.” It also pointed out that users are protected by Visa’s zero liability policy.
A spokesperson for Visa insisted that cards connected to Express Transit “are secure” and that cardholders “should continue to use them with confidence.” They also brushed off the findings by adding that “variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.”
This is different
While Apple and Visa seem nonchalant, it seems there are valid reasons for iPhone owners to be concerned. Unlike other Apple Pay transactions, Express Transit payments don’t need to be authorized by Face ID, Touch ID, or a passcode — and there is no limit on how much can be spent.
So, it it perfectly plausible that a hacker might hide a payment terminal inside a bag, then hold it close to an unsuspecting victim’s iPhone or Apple Watch on a busy train or platform to make a charge that the iPhone owner knows nothing about until it leaves their bank account or shows up on a statement.
The only way to prevent this is to simply stop using Visa cards with Express Transit.
