Apple and Visa downplay Express Transit security flaw in Apple Pay

Apple Pay Japan Big
Apple Pay Japan Big (Image credit: Apple)

What you need to know

  • A new security flaw has been discovered in Apple's Express Transit Apple Pay mode when using a Visa card.
  • Research claims it can be used to make unauthorized payments and bypass the contactless limit.
  • Apple and Visa have downplayed the issue.

New security research claims that a flaw in Apple's Express Transit Apple Pay mode can be used to make unauthorized Visa card payments and bypass the contactless limit.

Researchers from the Computer Science departments at the Universities of Birmingham and Surrey in the UK have published their findings into how an active Man-in-the-Middle replay and relay attack could be used to bypass the Apple Pay lock screen for any iPhone with a Visa card set up in transit mode. The paper states:

The Apple Pay lock screen can be bypassed for any iPhone with a Visa card set up in transit mode. The contactless limit can also be bypassed allowing unlimited EMV contactless transactions from a locked iPhone. An attacker only needs a stolen, powered-on iPhone. The transactions could also be relayed from an iPhone inside someone's bag, without their knowledge. The attacker needs no assistance from the merchant and backend fraud detection checks have not stopped any of our test payments.

The researchers even have their own video of a £1,000 payment being taken from a locked iPhone using a standard EMV reader you would find in any store on the high street. The researchers claim the attack "is made possible by a combination of flaws in both Apple Pay and Visa's system," so it wouldn't work with another card like Mastercard, or with Visa on any other platform such as Samsung or Google Play.

The researchers say either Apple or Visa "could mitigate this attack on their own" but having presented the information "months ago" claim neither have fixed the system and that the vulnerability remains live. In fact, the research recommends "that all iPhone users check that they do not have a Visa card set up in transit mode, and if they do they should disable it."

According to the BBC Apple says the problem lies with Visa and was "a concern with the Visa system." It further stated:

"We take any threat to users' security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place"."In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy".

Visa reportedly said that the type of attack detailed by the research was "impractical" and that "Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence." It further stated, "variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world".

One of the researchers, Dr. Andreea Radu, told the outlet that whilst the attack had a high degree of technical complexity "the rewards from doing the attack are quite high" and could become a real issue in a few years if unaddressed.

Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.

Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9

2 Comments
  • This is not a default setting and it even warns you of the risk if you enable it. It allows your phone to mimic contactless proximity transactions I'm not sure why you'd want to tbh and I don't suspect anyone has found it...
    If you leave your phone as intended, touchID or FaceID security is in place and there is no risk.
    Unsurprisingly, it was a feature requested by corporates who think it's too hard for their customers to use TouchID.
  • The reason for enabling that function is that in most large cities, adding a transit pass to the Apple Wallet is simply not possible. This is because the transit companies are all "silos" (not connected to each other) and each generally has either a *physical* card system only, or it's own home grown app. Those apps tend to be incompatible with Apple Wallet. In my city for example, we transitioned to contactless transit cards a long time ago. The old-style paper tickets haven't even *existed* for many years. But we can't put our transit cards into Apple Wallet until the entire system and all it's software is rebuilt from scratch to match up with whatever Apple is doing. That will be almost certainly be at least four or five years from now. Each Transit Authority in each city faces the same problem. People want to "beep" their phones instead of buying the transit card, either becuase they are Apple-heads or they just want to or whatever and currently the only way to do that is by using a credit card instead. VISA being the most popular choice of course. Apple simply hasn't made it very easy for transit companies to add stuff to Apple Wallet. That's the real story.