Researchers have discovered vulnerabilities in Apple Pay. Associated with a Visa card, the vulnerability can allow hackers to bypass the lock screen to carry out contactless payments and without limits on any payment terminal.
You will also be interested
[EN VIDÉO] The incredible journey of global internet traffic When we connect to the Internet, our data travels a very long way. An email travels on average 15,000 km to reach its destination!
Yesterday, Futura recounted the setbacks of his Airtag on matter security andinertia which Apple is showing to close its security breaches. Today, it is a new vulnerability that affects Apple Pay in connection with Visa that was revealed. This flaw could allow hackers to bypass an iPhone lock to make contactless payments. The breach was discovery in the UK by researchers from the University of Birmingham and the University of Surrey. It will be presented at the next Symposium IEEE 2022 on security and confidentiality.
The catch is that thanks to this vulnerability, it is even possible for the hacker to go beyond the limit of the contactless payment to debit the sums. To be able to exploit this flaw, a particular setting must be activated on the iPhone. This is the express mode of transportation. It allows contactless payment for a trip at a metro access point, for example, without needing to unlock the phone. It should also be noted that the problem only affects Apple Pay accounts associated with a Visa card.
A flaw that may never be corrected
The researchers were able to observe that, when one passes theiPhone on a sensor wireless from a metro entrance, the terminal then broadcasts a unique code to the telephone. By recovering this code, by integrating it into a simple contactless payment terminal and by modifying the protocols of the device, the scientists made the iPhone believe that it was an access point to a turnstile. These changes triggered the payment of the amount displayed on the card reader. And precisely, since this code – which researchers have nicknamed the “magic code” – opens wide the door to any payment terminal, it also allows to authorize debits without limit of amount. What loot a bank account in one go and without contact.
Then again, researchers discussed this flaw with Apple and Visa, and the two sides passed the buck to implement a fix. Since it may take months to arrive, if it is deployed one day, it is better to deactivate this payment option with Apple Pay when you have linked your account to a Visa card.
Interested in what you just read?
.