Security Issues Found in Visa and Apple Pay

Bugs found in iPhone contactless payment mechanisms could result in fraudulent purchases on your account.

Academics from the UK uncovered the technique, whereby attackers could bypass your smartphone’s lock screen to make transactions. According to research, when Visa cards are set up in Express Transit mode in an iPhone wallet, that’s when the vulnerability occurs. Express mode is generally used to give commuters easier access to their transactions without more in-depth identity authentication.

Unique code is broadcasted by transit gates and turnstiles to unlock Apple Pay is thought to be the cause of the issue, which appears to only affect Apple Pay and Visa. Researchers were able to perform a relay attack using standard radio equipment which tricked an iPhone into behaving as if it were communicating with a transit gate.

If a person is in close proximity, whether the phone is held by someone or stolen, the attack can be triggered by broadcasting the unique code and modifying other variables in order to cause harm. Researchers tested this attack using an iPhone 7 and an iPhone 12, and while the experiment was successful, it may be more difficult to deploy in a real world scenario.

Payment protections generally extend beyond just the authorization process. It’s worth noting that the fraud level on Visa’s global network is below .1%, which bodes well for those who utilize the company’s services.

Those working on this particular security issue notified both parties of the issues, and while acknowledged, the vulnerability remains unfixed. Visa noted in a statement that while they are aware of the concern, they believe it’s unlikely fraud of this nature will occur in the real world given the layers of security the company has set in place.