How your phone settings could let hackers steal thousands of pounds

·3 min read
Visa Apple Pay iphone
A shopper uses the mobile payment service Apple Pay at a supermarket. Photo: Jon Nazca/Reuters

Apple (APPL) and Visa (V) have denied that there are any significant security problems with one of Apple Pay's features, after researchers exposed a hack that could potentially cost consumers thousands of pounds. 

In a video seen by the BBC, researchers showed how they exploited a gap in Apple Pay and Visa's security systems, making an £1,000 ($1,344) payment from a locked iPhone.

The problem is said to be built into how Visa cards are set up in Express Transit mode on an iPhone. This feature lets commuters make quick contactless payments without unlocking their phone. 

Researchers from the Computer Science departments of Birmingham and Surrey uncovered the alleged weakness. 

Visa told Yahoo Finance UK that this hack would be "almost impossible to execute" in a real environment and that authorisation is just one level of how Visa payments are protected. 

A Visa spokesperson said: "Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence.

"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."

Read more: Personal data control worth £1.1bn a year to tech giants

The researchers who carried out the study told the BBC there was no evidence this specific hack, which was tested in the "lab" is being used in the outside world.

The researchers also tested Samsung Pay and Mastercard but found these security systems prevented the attack. 

Volumes of contactless payments have skyrocketed since the beginning of the coronavirus pandemic, as people switched from potentially disease-spreading cash to these types of payment. Recently, the UK government waved through increasing the contactless payment limit to £100, a measure that kicks in mid-October.

How it works

Put simply, the hack works through a small and commercially available device being placed near the phone — this radio-operated device tricks the phone into thinking it is dealing with a ticket barrier for travel. 

The fact the iPhone thinks it is dealing with a ticket barrier means it does not need to be unlocked. 

While this process is happening the iPhone is fooled into thinking payments are being authorised, including high value transactions to be made without using any verification method. 

Read more: Bank of England gives one year to spend old £20 and £50 notes

An Apple spokesperson said: "We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. 

"In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy."

Zero liability means that if your Visa Debit card is lost or stolen and fraudulent activity occurs, you are protected. That means "100% protection for you", according to Visa's website. Protection applies whether purchases occur online or off.

Watch: What are the risks of investing in cryptocurrency?

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting