How secure is apple pay: UK security researchers are raising the alarm over Apple Pay. With the introduction of the Express Transit feature, Apple's mobile payment system would have lost enough security to allow large unauthorized payments when used with Visa cards.

Is apple pay safe for online purchases?

Available in the United States since spring 2019, the Express Transit functionality, linked to Apple Pay, allows tap-and-go on the iPhone, to quickly pass through gates (in public transport for example) without having to unlock their telephone. 

This feature has since expanded to other countries including the UK and Japan. Practical, it would however have as a counterpart amputated security… at least in certain cases.

British researchers from the universities of Birmingham and Surrey have demonstrated that large unauthorized payments could be made from Apple Pay when used with Visa cards and the Express Transit function. 

In this case, these payments are possible by exploiting a flaw discovered in the contactless payment system offered by Visa cards.

A FUNCTIONAL METHOD… EVEN FOR LARGE SUMS

To relieve the victim of a large sum of money, the attacker must use a small radio accessory, commercially available, which can mimic the terminal of a gate when placed near a locked iPhone. He must also equip himself with an Android smartphone equipped with an application developed to relay the signals from the iPhone to a payment terminal. 

This application also modifies communications in such a way as to deceive the terminal. The objective this time is that it considers that the target iPhone has been unlocked and that a payment has been authorized by the user.

Using this method on their own, the researchers managed to authorize a contactless payment of 1000 pounds (£) from a locked iPhone. They specify that for the transfer to work, the Android smartphone and the payment terminal do not need to be used near the target iPhone, they just need to be connected to the internet.

A PROBLEM WITH VISA, DEFENDS APPLE

Contacted by the BBC, Apple said the problem was not its responsibility, but that of Visa. "  This is a concern with the Visa system, but Visa does not believe this type of fraud is likely to occur in the real world, given the multiple layers of security in place," the group said, stating that in the event of theft by this method, users are covered by Visa's zero liability policy. It states that the cardholder is not liable for any unauthorized transactions.

On the side of Visa, we want to be reassuring: “  Variants of contactless fraud systems have been studied in the laboratory for more than ten years and have proven to be impractical to implement on a large scale in the real world  ”. The British researchers behind the discovery admit that this type of attack is indeed elaborate, but believe that "  the reward of the attack is high enough  " to motivate thieves.

They nevertheless specify that the operation cannot be replicated with Mastercard bank cards. For Visa card users, it is also sufficient to deactivate the Express Transit function to greatly limit the risks. A function that is not yet used on a large scale anyway, and which is not yet available for transport in France.