Secondly, while relaying the EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, need to be modified such that the bits (flags) for Offline Data Authentication (ODA) for Online Authorizations supported and EMV mode supported are set,” the researchers said. “The attack works by first replaying the Magic Bytes to the iPhone, such that it believes the transaction is happening with a transport EMV reader. RELATED READING: How secure is your phone’s lock screen? To conduct their test, the researchers used a Proxmark that acted as a reader emulator, and an NFC-enabled Android phone that was used as a card emulator to communicate with the payment terminal. The attack, classified as a Man-in-the-Middle (MitM) replay and relay attack, requires the iPhone to have a Visa Card set up for payment with the “Express Travel” mode turned on, and the victim to be in close vicinity to the attacker. “We show that this feature can be leveraged to bypass the Apple Pay lock screen, and illicitly pay from a locked iPhone, using a Visa card, to any EMV reader, for any amount, without user authorization,” reads the paper describing the attack method.
The feature was introduced to facilitate payment at transport-ticketing barrier stations. However, in May 2019 Apple introduced the “Express Transit/Travel” feature that allows Apple Pay to be used without unlocking the phone. When carrying out a payment via a smartphone app, the user usually has to authenticate the transaction using either one of the iPhone’s built-in biometric authentication features like a fingerprint scan or Face ID, or punch in a PIN code, reducing the threat of relay attacks. The illicit transactions could also be relayed even if the device is in the victim’s baggage. The research paper, titled “ Practical EMV Relay Protection”, maps out how attackers could abuse a combination of flaws in Apple Pay and Visa, explaining that all they would need to carry out an attack is a pilfered powered-on iPhone. The attackers could also bypass the contactless limit to carry out unlimited transactions from locked iPhones, researchers from the University of Birmingham and the University of Surrey have shown. Flaws in Apple Pay and Visa could allow criminals to make arbitrary contactless payments – no authentication needed, research findsĬybercriminals could make fraudulent purchases by circumventing an iPhone’s Apple Pay lock screen where the device’s wallet has a Visa card set up in so-called transit mode.