Don’t Use Visas on Apple Pay for Transport, Security Experts Warn

A team of researchers has identified security weaknesses in both Visa and Apple Pay that could enable hackers to perform unlimited contactless payments without needing to unlock the device.

The vulnerability only affects iPhones that have a Visa debit or credit card set up in Express Transit mode in Apple Pay. Express Transit is a mode on the digital wallet that enables travellers to make quick contactless payments without unlocking their phone—for instance when touching in and out of ticket barriers on the London Underground or paying on buses.

The experts who identified the loophole, at the University of Birmingham and the University of Surrey, say they’ve made both Apple and Visa aware of the loophole but neither has patched their security. They’re therefore urging commuters not to use Visa cards through Apple Pay to pay for transit.

"I'm genuinely concerned for consumers' well-being. My advice to them is to make sure they don't have a Visa card set up with Express Travel,” Dr Andreea-Ina Radu, first author of the study and lecturer in computer science at the University of Birmingham, said.

Other payment cards and digital wallets don’t share the security flaws. “[The problem] does not for instance... affect Mastercard on Apple Pay or Visa on Samsung Pay," the researchers said.

So how could criminals siphon money from your locked phone? The paper’s authors are understandably coy about all the steps of a potential heist, not wanting to give criminals a blueprint. 

In basic terms, they used a small, commercially available piece of radio equipment to trick iPhones into believing they’re interacting with a ticket barrier. Simultaneously, an Android phone runs an application developed by the researchers to relay signals from the iPhone to a contactless payment terminal. Because the iPhone believes it is paying at a ticket barrier, it doesn’t have to be unlocked. 

Additionally, the researchers could modify the iPhone’s communications with the payment terminal to make it seem like the device has been unlocked and a payment authorised. This allows them to make high-value transactions—of £1,000 in the video demonstration—without needing to enter a PIN or use a fingerprint or Face ID.

Criminals could use these steps to drain accounts through lost or stolen phones—that’s the “most exploitable version” of the sting.

"Before [the owner] declare[s] the card or iPhone stolen and turn[s] them off remotely, you could make as many payments as you like using their phone without them having to unlock it,” said Dr Ioana Boureanu from the University of Surrey.

But criminals don’t need to snatch your phone. They could also hack devices stored in your bag, as long as they smuggle the radio equipment near to them, for instance by walking past your or standing near you. The payment terminal and Android phone don’t need to be close by for the heist to work. 

"It can be on another continent from the iPhone as long as there's an internet connection," Dr Boureanu said.

The cybersecurity experts demonstrated the loophole by siphoning money out of their own accounts. There’s no evidence criminals are currently using it to steal money. But while the vulnerabilities exist, users should be cautious, they said.

"We've been in discussion with both Apple and Visa for a year or so... and they seem to be in disagreement on who should actually fix this issue. The bottom line is that the vulnerabilities remain unfixed for the users,” Dr Radu said.

Visa played down the threat. A spokesperson for the payment provider said: "Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence.

"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.”