Researchers have discovered vulnerabilities in Apple Pay. Associated with a Visa card, the vulnerability can allow hackers to bypass the lock screen to carry out contactless payments and without limits on any payment terminal.
Yesterday, Futura recounted the setbacks of his in the UK by researchers from the University of Birmingham and the University of Surrey. It will be presented at the next Symposium on security and confidentiality.on security and which Apple is showing to close its security breaches. Today, it is a new vulnerability that affects Apple Pay in connection with that was revealed. This flaw could allow hackers to bypass an iPhone lock to make contactless payments. The breach was
The catch is that thanks to this vulnerability, it is even possible for the hacker to go beyond the limit of theto debit the sums. To be able to exploit this flaw, a particular setting must be activated on the iPhone. This is the express mode of transportation. It allows contactless payment for a trip at a metro access point, for example, without needing to unlock the phone. It should also be noted that the problem only affects Apple Pay accounts associated with a Visa card.
A flaw that may never be corrected
The researchers were able to observe that, when one passes theon a wireless from a metro entrance, the terminal then broadcasts a unique code to the telephone. By recovering this code, by integrating it into a simple contactless payment terminal and by modifying the protocols of the device, the scientists made the iPhone believe that it was an access point to a turnstile. These changes triggered the payment of the amount displayed on the card reader. And precisely, since this code – which researchers have nicknamed the “magic code” – opens wide the to any , it also allows to authorize debits without limit of amount. What loot a bank account in one go and without contact.
Then again, researchers discussed this flaw with Apple and Visa, and the two sides passed the buck to implement a fix. Since it may take months to arrive, if it is deployed one day, it is better to deactivate this payment option with Apple Pay when you have linked your account to a Visa card.