Giving Timur Yunosov, a Russian cybersecurity researcher with a predilection for exploiting weaknesses in payment gadgets, access to my Apple iPhone may have been a mistake. Yunosov was emptying my already depleted bank account, pushing it into overdraft, within minutes of providing it to him, by just touching the locked device onto a terminal.
Fortunately, Yunosov is a good hacker who works for Positive Technologies in Moscow (which is presently coping with the impact of US sanctions for suspected help to the Kremlin’s security forces). He quickly returned the money after showing the attacks, exposing long-known, unpatched weaknesses in an Apple Pay feature. This feature allows consumers to pay for transportation alternatives like the London Underground or New York subway with a simple touch and go. It can be done without having to unlock their phone.
A similar assault was demonstrated in September by researchers from the Universities of Birmingham and Surrey. They’d figured out how to trick a phone into believing it was making payments to a railway turnstile. In fact, it could be used on any form of retail terminal or one controlled by a hacker. It may allow money to flow directly into a criminal’s account.
But Yunosov wasn’t only demonstrating what might be done on an Apple iPhone; he also demonstrated an assault on a Samsung phone to Forbes. Though a bit more complicated, he could take a stolen Samsung with the tap-and-go function home and drain its money without having to unlock it. It’s not the same as his Apple hack. This might be used in a shop with a “man-in-the-middle” gadget. It would allow a locked smartphone to be used on a standard payment terminal. However, it still poses a risk to anyone who loses their Samsung mobile to a technically savvy thief.
The identical method used to compromise Apple Pay may have been used to compromise a Samsung Pay account linked to a MasterCard card up until June 2021. “However,” Yunosov continues, “they fixed the problem without ever informing me.”
Even when a phone’s battery dies and it is switched off, the tap-and-go capability is still available to criminals, just as it is to passengers. “If you use a Visa card with Apple Pay, someone might take your phone—even if it’s not charged—and go to a good Bond Street shop and buy items using your phone,” Yunosov subsequently added via email. The amount of data that can be transferred is infinite. In our demonstration, it was just a few pounds, but in a real-world attack, it might be thousands.
There are several clear limitations. The attacks can only be carried out if the attacker has physical access to the phone. And, while MasterCard and Google have taken efforts to solve the issues, Yunosov claims that the hacks only work when Visa cards are the default payment method for mobile transportation.
Apple, Visa, and MasterCard react
Samsung did not answer at the time of publication. Collectively, Apple and credit card firms do not feel these assaults constitute a significant threat in the real world.
“This is a danger with a Visa system,” an Apple representative said, “but Visa does not believe this form of fraud is likely to occur in the real world given the many levels of protection in place.” Visa has said that cardholders are covered by the company’s zero-liability policy in the unlikely event that an unauthorized payment is made.
“Visa cards linked to mobile wallets with transit capabilities are secure,” a Visa official explained. Contactless fraud techniques have been studied in the laboratory for over a decade. They have been proven impossible to use in the real world. Payments are protected by many levels of protection, and consumers benefit from Visa’s zero-liability guarantee. Visa takes all security risks seriously and is constantly evolving its payment security capabilities to protect cardholders from the most recent real-world threats.”
“Cardholders can be assured that paying with MasterCard is safe and secure; they are always protected whenever and wherever they choose to pay,” a MasterCard spokeswoman stated. Our top objective is to ensure the security of every MasterCard transaction. We employ cutting-edge technology in cyber, biometrics, and artificial intelligence. It detects and prevents fraud at every stage of the purchase process…… This academic scenario was brought to our attention through our responsible disclosure policy. While it was fairly restricted outside of a laboratory setting, we addressed the possible problem.”
Yunosov, on the other hand, feels the threat is still there and serious. Turning off the transport feature is the best safeguard for everybody involved.