Security flaw sees Apple Pay Express Transit users exposed to attackers
Researchers at the Universities of Surrey and Birmingham in the UK have exposed a security flaw with Apple’s touch and go Apple Pay Express Transit feature, which could see large unauthorized contactless payments taken from a locked iPhone set up with a Visa card.
Apple Pay Express Transit launched in the UK in late 2019 on the London Underground. Express Transit allows commuters to pay for their journey using Apple Pay, without the need for Face ID or Touch ID authentication like regular Apple Pay transactions. Users simply hold their phone over the contactless readers at the station, even when the battery on their iPhone has died, to pay for their journey.
According to the researchers, a flaw with the Visa contactless system has been discovered which could allow hackers to place a commercially available piece of radio equipment near the ticket barrier and take large unauthorized payments from users.
The hack involves a custom developed Android app, which transmits signals to and from the radio equipment to complete the rouge transitions.
To demonstrate the exploit, the researchers produced a video showing a contactless Visa payment of £1,000 taken from a locked iPhone.
Speaking with the BBC, Apple said the security flaw is down to Visa and not Apple Pay itself. “This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place,” said an Apple spokesperson. “In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”
How To Turn Off Apple Pay Express Transit
- Open the Wallet app on iPhone and tap your bank card
- Press the three dots in the top right corner of the screen and select Express Travel settings
- Under Payment Options, select None