Mobile contactless payments provide a convenient method to pay for items when you are purchasing both in-store and online. Eliminating the need to carry a wallet by embedding it into your smartphone provides a new level of convenience, and peace of mind that you will always have the loyalty card or correct payment card with you. However, with increasing personal identity becoming embedded in your smartphone it raises the question of how secure actually is it?
Recently a vulnerability has been discovered in Visa’s processing of Apple Pay payments. Apple Pay is the digital wallet used by Apple devices, such as the iPhone. In a newly published video, security researchers used off the shelf equipment to make a contactless payment of £1000 from a locked iPhone. This exploit requires two specific things to work, the card linked being a Visa card and the device to have Express Transit mode enabled on your Apple Pay enabled device.
Express Transit is a feature of Apple Pay that enables you to make quick contactless payments on select public transport terminals despite the iPhone being locked. The weakness found is how Visa systems process these requests.
The exploit works in a unique way that it works entirely with off the shelf equipment. The attacker simply needs to place a small commercially available piece of radio equipment near the iPhone, which tricks it to believe it is dealing with a ticket barrier. An Android phone running a specially developed application will then simultaneously relay signals from the iPhone to a contactless payment terminal (this will usually be in the criminal’s control). As the iPhone thinks it is paying a ticket barrier it does not need to be unlocked for the payment to be authorised. However, because the signals have been intercepted by the attackers the payment terminal thinks the iPhone was unlocked allowing high-value transactions to be made, unknowingly by the iPhone user.
This particular exploit is rare and difficult to replicate in the real world and so far has only been seen performed in a lab. However, it does raise the important question of where the balance between digital security and convenience should lie.