Researchers have found a new dangerous hack that can allow cyber criminals to use people’s phones to steal money from them using “contactless payments”. You may ask yourself why that is in quotation marks. It’s because that is what the phone thinks that it is doing when in fact it is being tricked by some very clever and nasty hardware.
When scientists demonstrated this attack, they used money from their own accounts. This is how the attack works put very simply:
The demonstration video seen by the BBC showed a Visa payment of £1000 being made without the phone owner’s authorisation.
However, even though the device was near the phone in the demonstration, Dr Ioana Boureanu from the University of Surrey says this doesn’t need to be the case. “It can be on another continent from the iPhone as long as there’s an internet connection”.
There is no evidence as of yet that criminals are exploiting this hack, but it is now common knowledge in the cybercriminal world that it is a possibility meaning that it might not be long before they are. It is mainly Apple Pay and Visa that are vulnerable to these sorts of attacks. Researchers tested it with Samsung Pay and Mastercard but found that they were not able to be exploited in this way.
The research is due to be presented at the 2022 IEEE Symposium on Security and Privacy and hopefully Apple and Visa will be working to remove these vulnerabilities in their systems as soon as possible. They are lucky the hack was found by researchers before cyber criminals were able to exploit it or else it could have caused some serious damage to their customers.