The man-in-the-middle attack vulnerability has been demonstrated by Dr Andreea Radu, the lead researcher at the School of Computer Science at the University of Birmingham. The vulnerability requires that the Apple Pay user have express transit mode enabled, a feature that allows the payment to be initiated at a transit terminal without unlocking the phone. Apple deployed this feature in May of 2019. One noteworthy point: the attack works through most purses and pockets and modifies the transaction so that it appears the user was authenticated using the Apple biometric of PIN.
One important aspect that isn’t clear is who is responsible for this breach in security. The research team indicates that the flaw is specific to a Visa card within Apple Pay and that neither Apple nor Visa are taking action to fix the flaw. It is unclear if the researchers tested other network cards, such as Amex or Mastercard, to determine If this is a problem in the EMV specification itself or just Visa and Apple’s implementation of EMV:
“However, an experiment conducted by the Universities of Birmingham and Surrey found threat actors are able to exploit a flaw to bypass the Apple Pay lock screen and charge the connected card, in some cases up to £1,000 per transaction, without user authorisation. The owner doesn’t have to leave the device unattended or have it stolen – thieves can also exploit the flaw through a bag or coat, thanks to contactless payment technology.
In a demonstration of the exploit, researchers used an iPhone, an NFC-enabled Android phone, a standard EMV reader payment terminal, and a laptop connected to a Proxmark radio-frequency identification (RFID) scanner.
The Android phone is used as a card emulator to communicate with a payment terminal. Meanwhile, the Proxmark device, connected to a laptop, acts as a reader emulator to communicate with the potential victim’s iPhone, which is led to act as if the transaction is happening with a legitimate transport EMV reader.
Researchers first set up a payment for £1,000 on the payment terminal and ran a script on the laptop to alert the Proxmark RFID scanner to receive the transaction, which then passes it to the payment terminal. Meanwhile, the flaw also manipulates the payment terminal to believe that the victim had authorised the transaction by biometric or PIN verification, enabling the transaction to take place.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group