Hackers Can Steal Money Via Apple Pay From iPhones

Researchers have discovered a way that allows an adversary to steal money from Apple Pay accounts of target iPhones. All it takes is to exploit the underlying weaknesses in how VISA card is set on an iPhone’s Apple Pay. This method works even for locked devices at a distance, e.g. a locked iPhone in someone’s bag.

A Sophisticated Attack To Steal Money Via Apple Pay

A team of academic researchers has found how an adversary can steal money from target iPhones by exploiting Apple Pay.

Specifically, they have found vulnerabilities in how VISA card is set up in Apple Pay for EMV contactless transactions. While these EMV relay attacks are possible theoretically, Samsung already applies a mitigative strategy.

Apple also implements biometric authentication methods (Face ID or fingerprint) for successful payments via Apple Pay. However, bypassing these security checks remains possible due to the underlying vulnerabilities at VISA’s end (alongside Apple Pay). Nonetheless, such attacks do not affect Mastercard on Apple Pay.

How the attack works

The attack typically exploits the vulnerability in Apple Pay’s “Express Transit/Travel” feature. It facilitates making contactless payments to EMV readers at transport-ticketing barrier stations without unlocking the device.

In simple words, it works as Apple Pay recognizes “Magic Bytes’ (non-standard sequence of bytes) broadcast from the Transport for London (TfL) ticket-gate readers. These Magic Bytes can bypass the lock screen for swift transactions. As the researchers explained,

If a non-standard sequence of bytes (Magic Bytes) precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this a transaction with a transport EMV reader.

That’s what an adversary can exploit. This “MiTM replay and relay” attack requires the target iPhone have VISA card configured as the ‘transport card”. Then, using a card emulator, the adversary can target the iPhone in close proximity to make payments to a non-transport EMV reader.

It happens because the system allows transactions with transport EMV readers with intermittent connectivity (known as Offline Data Authentication (ODA)).

Describing the attack methodology, the…