iPhone users are at risk from losing thousands to hackers because of a flaw in the Apple Pay contactless service.
While Mastercard and American Express users are fine, Visa cards on Apple Pay's 'Express Travel' mode are at major risk of theft.
Researchers at the University of Surrey discovered that thieves can drain someone's bank account of thousands of pounds just by tapping a contactless terminal against a locked iPhone.
The hack exploits the 'Express Travel' mode, which is designed to allow easy contactless payments on public transport without any checks. It's used on Transport for London's Oyster network and many buses across the UK.
Researchers spoofed the signals from a public transport card reader, and used this to 'trick' iPhones into making the payment.
While most cards cap contactless payments at £45, Apple Pay has no limit. The research team was able to make a £1,000 payment just by tapping an iPhone against a terminal.
iPhones generally need a fingerprint, password, or facial recognition to verify purchases, but in this instance, Express Travel turns these features off.
You're using Google wrong – become an Internet detective with these tips and tricks
The exploit doesn't work with other cards, or even other phones. The Express Travel mode has to be activated on purpose, so only those who have it turned on could be affected.
Researchers claim that both Visa and Apple are aware of the issue and could easily solve it, but decline to fix it.
Apple said that it is unlikely to be a real-world risk. "This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.
"In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy."
iPhone 13 thrown 100mph falls from world's fastest zipline – but does it survive?
A spokesperson for Visa also said that its cards are still secure while connected to Apple Pay:
"Visa cards connected to Apple Pay Express Travel are secure and cardholders should continue to use them with confidence."
"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem."
Source: Read Full Article