Apple Pay has been flagged as a security risk after researchers uncovered a flaw in its system that could leave users seriously out of pocket.
Apple Phone users have been urged to switch off Express Transit mode if connected to a Visa card, as it could allow fraudsters to hack in and make transactions and contactless payments without the user having any idea they are happening.
A team of researchers at the University of Surrey and the University of Birmingham say the flaw could even be used to take unlimited payments from someone’s iPhone while it was in their bag or pocket.
The issue reportedly comes up when a Visa card is set up on Apple Pay with the Express Travel Card setting enabled. This setting allows people to tap in and out of public transport without even needing to unlock their iPhone.
Whilst this is very convenient for iPhone owners, it seems it could also be putting them at a big risk. The research team from the two universities managed to trick an iPhone into thinking it was making a transport tap-in using simple radio equipment, but it was actually completing a transaction with a payment reader. Cybercrime experts call this type of scam a “man-in-the-middle” attack.
The experts identified a unique code used at transport turnstiles and then used it to trick the iPhone into making a contactless payment
As a result, iPhone owners are now being urged to disable Express Transit mode. Dr Tom Chothia, University of Birmingham, said: “iPhone owners should check if they have a Visa card set up for transit payments and if so they should disable it.”
However, both Apple and Visa suggest the issue is not as grave as the research suggests, and that actually running the scam is impractical in the real world.
A spokesperson for Visa said: “Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”
An Apple spokesperson said: “We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”
But Dr Andreea Radu, leader of the study at the University of Birmingham, disagrees: ''Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” he said.
To turn off Express Transit mode in your iPhone, just go to Settings > Wallet & Apple Pay > Express Travel Card and then hit None.