Contactless payment exploit "taxing" to all involved

19th October 2021

Researchers have found a new dangerous hack that can allow cyber criminals to use people’s phones to steal money from them using “contactless payments”. You may ask yourself why that is in quotation marks. It’s because that is what the phone thinks that it is doing when in fact it is being tricked by some very clever and nasty hardware.

When scientists demonstrated this attack, they used money from their own accounts. This is how the attack works put very simply:

  • A small piece of radio equipment which can be bought by anyone commercially is placed near an iPhone which makes it believe it is paying for a ticket barrier. Because of this, the phone won’t need to be unlocked by its owner.
  • Meanwhile, an Android phone running an application developed by the researchers is used to relay a signal to from the iPhone to a contactless payment terminal. This can either be in a shop or in the criminal’s control.
  • Once this is done, the communications allow the criminals to trick the iPhone into thinking the payments have been accepted without the use of a PIN, fingerprint or Face ID. This allows them to make high value transactions.

The demonstration video seen by the BBC showed a Visa payment of £1000 being made without the phone owner’s authorisation.

However, even though the device was near the phone in the demonstration, Dr Ioana Boureanu from the University of Surrey says this doesn’t need to be the case. “It can be on another continent from the iPhone as long as there’s an internet connection”.

There is no evidence as of yet that criminals are exploiting this hack, but it is now common knowledge in the cybercriminal world that it is a possibility meaning that it might not be long before they are. It is mainly Apple Pay and Visa that are vulnerable to these sorts of attacks. Researchers tested it with Samsung Pay and Mastercard but found that they were not able to be exploited in this way.

The research is due to be presented at the 2022 IEEE Symposium on Security and Privacy and hopefully Apple and Visa will be working to remove these vulnerabilities in their systems as soon as possible. They are lucky the hack was found by researchers before cyber criminals were able to exploit it or else it could have caused some serious damage to their customers.

Photo by Jonas Leupe on Unsplash