Researchers at the University of Birmingham and University of Surrey have exposed security vulnerabilities in Apple Pay and Visa with the potential to let hackers to bypass Apple Pay’s lock screen on iPhones and perform contactless payments.
The revelations of the security flaw in Apple’s digital payment system come after the Big Tech company said it would be increasing its spend limit to let users make contactless payments of up to £100 from 15 October.
The Apple Pay spend limit will see a whopping £55 increase from its current limit of £45.
But what do the revelations of Apple Pay’s security flaw mean for users – and who is impacted by it?
Here’s what we know so far.
What is Apple Pay?
Apple Pay was rolled out in October 2014 as an innovative way of letting users make contactless payments using Apple devices such as the iPhone and Apple Watch.
It is believed to be the most popular contactless digital payment system worldwide, with 383 million users worldwide and over 86 million in the UK alone.
In 2019, 18 per cent of UK adults had signed up to use mobile payment systems made available by smartphone producers such as Apple, Samsung and Google.
What is the Apple Pay security flaw?
Cyber security experts in the University of Birmingham’s School of Computer Science and the University of Surrey’s Department of Computer Science found that they could replicate the signal transmitted from transit gates to unlock software like Apple Pay when it is actually being used on a shop card reader.
This would allow payments of any amount to be automatically taken by fooling an iPhone into thinking that authentication has taken place – meaning that Express Transit users with Visa cards are at risk of losing thousands of pounds.
The cyber security researchers said that while Apple and Visa had been warned about the exploitable issue, but that the companies had not introduced fixes to resolve it.
Dr Andreea Radu of the University of Birmingham’s School of Computer Science led the research and said of Visa and Apple that “neither are willing to accept responsibility”.
“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” Dr Radu said.
“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”
Who is affected by the Apple Pay security issue?
The security issue unearthed by British academics only affects Visa cards used for Express Transit mode in iPhone’s digital wallet.
The mode allows commuters to make digital payments on ticket turnstiles at locations across the UK, such as at London tube stations, and can be accessed on iPhone lock screens without fingerprint authentication.
It does not affect any other device-payment provider combinations, researchers confirmed – with equivalent contactless mobile payment mechanisms such as Samsung Pay seeing no such issues.
Dr Ioana Boureanu, of the University of Surrey’s Centre for Cyber Security and co-author of the report, added: “We show how a usability feature in contactless mobile payments can lower security.
"But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure.
“ApplePay users should not have to trade-off security for usability, but --at the moment-- some of them do.
“The weakness lies in the ApplePay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay.”
What do I need to do about the Apple Pay security flaw?
Unless you are an Apple Pay user who makes use of the mobile payment software’s Express Transit mode with a Visa card, you do not need to do anything.
But researchers have warned that anyone who does use a Visa card for contactless travel payments in Express Transit mode should disable it.
"There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are,” said another University of Birmingham cyber security researcher.
Both Apple and Visa appear to have downplayed security concerns, with a spokesperson for Apple telling reporters: "We take any threat to users' security very seriously.
"This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place."
A spokesperson with Visa said: "Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence.
"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.
"Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."