Over 383 million people now use Apple Pay as a form of payment. However, researchers have found a hack on Apple Pay when using Visa could put consumers at risk.
In a video, the researchers show that a flaw in the Visa system means criminals could exploit an Apple Pay feature that’s designed to help users pay quickly.
The “Express Transit” option is a feature that was aimed at commuters wanting to make fast contactless payments without unlocking their phones.
But, it also means someone could make a large contactless Visa payment on an iPhone or Apple Watch without having to open an app, unlock the device, or validate it with Touch ID, Face ID, or a passcode.
Despite Apple claiming the payments are secure and it’s unlikely this type of attack would take place, researchers say that there’s a weakness in the system that could be problematic.
The researchers from the Computer Science departments of Birmingham and Surrey Universities demonstrated that fraud could take place in the following way:
- A small piece of radio equipment (which is commercially available) is placed near the iPhone that tricks the device into thinking there’s a ticket barrier.
- The application uses signals from the Apple device to the contactless payment terminal.
- The device believes it’s paying a ticket barrier so it doesn’t need to be unlocked and the payment is already authorized without the need for a fingerprint, pin, or face ID.
There’s currently no evidence that criminals are exploiting this weakness in the system. So far, it’s only been demonstrated by researchers to be possible.
But, the researchers point out that this needs to be fixed quickly, as it could be a worry for someone with a lost or stolen phone.
In addition to this, it’s important that consumers are aware of the risks so they can take action – anyone that loses their phone or believes it has been stolen should use Apple’s iCloud to immediately wipe their phone and block the Apple Pay feature to stop any payments.