One system, somewhat difficult to replicate, has managed to bypass the security of Apple Pay and Visa.
A security investigation by academics at the University of Birmingham in the UK and the University of Surrey has detected a problem in Apple Pay with Visa cards that would supposedly allow, make payments with a user’s card without having to identify yourself with Face ID or with the unlock code. This only happens with the express card that you have configured.
The express card can be configured from the iOS Apple Pay Settings and allows us to use one of our cards without the need for authentication in public transport. The goal is to save time when entering and exiting the subway or bus. But for this to work, the public transport payment terminal must meet a series of characteristics.
This investigation has made it possible for a hacker to create a dummy payment terminal that mimics the behavior of a public transport terminal, allowing the Apple Pay Express Transit card to be activated and being able to carry out operations without a money limit. They say they were able to make a £ 1,000 transaction on a locked iPhone, without the need for any authentication.
Apple has argued that the fault lies with the Visa system and that, furthermore, any unauthorized payments are covered by Visa’s zero liability policy. For its part, Visa says that “variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven impractical to run at scale In the real world”.
Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.
This error is specific to Visa cards. Apple Pay Express Transit with a Mastercard or American Express Cards is not vulnerable. Still, let’s hope it’s something that Visa fixes, even though the company says we shouldn’t worry, the fraud rate in Visa’s global network is below 0.1% and companies have instruments to cancel these types of suspicious transactions.
Related topics: Apple Pay
Join our Telegram channel @iPadizate
Follow us on Facebook ipadizate.blog