Cyber security researchers from the University of Birmingham and University of Surrey have revealed a flaw in Apple Pay and Visa’s systems which could allow fraudsters to bypass Apple’s security functions and make contactless payments.
The news has come as the tech giant prepares to up the contactless limit on the digital payment system from £45 to £100 in October - a move which has itself raised fraud concerns.
So what does this current Apple Pay vulnerability mean for consumers? And who is at risk of being impacted by the issue?
What is Apple Pay?
Apple Pay is a system which allows users of Apple devices including the iPhone and Apple Watch to make quick contactless payments.
It first rolled out in 2014 and has since amassed 383 million users worldwide, according to Statista.
A survey of 463 consumers by the statistics firm in the year to June 2021 found 63% had used Apple Pay, making it the most popular mobile payment system in the UK ahead of Google Pay (35%) and Samsung Pay (12%).
The system boasts “built in” privacy and security measures. For example, most transactions can only take place once the user has authenticated the payment using Apple’s fingerprint identification or facial recognition technology.
What is Apple Pay’s security flaw?
According to experts from the University of Birmingham’s School of Computer Science and the University of Surrey’s Department of Computer Science, hackers could bypass existing contactless limits allowing transactions of any amount to take place.
The researchers found this activity could only occur when Visa cards were set up in Express Transit mode in an iPhone’s wallet.
This mode allows commuters to tap in at turnstiles on transport networks, such as the London Underground, without authenticating the payment - something Apple said has been designed to make travel “quick and easy”.
The universities said they could unlock Apple Pay by using a unique code broadcast by turnstiles which they had identified using what they described as “simple radio equipment”.
Using this code, they were able to fool Apple Pay into thinking it was dealing with a turnstile rather than a shop card reader.
Who’s affected by Apple Pay’s vulnerability?
The researchers said they could use this method to take payments of any amount from unwitting users.
However, they added the issue was confined to users of both Apple Pay and Visa and no other combination of mobile payment and transaction software.
So, unless you have your Visa card stored in Apple Pay and set up to use Express Transit Mode, you don’t need to do anything.
The experts claimed those users who are at risk of being impacted are likely to be affected “indefinitely”.
This was because they had found in their discussions with Apple Pay and Visa that while the “two industry parties each have partial blame”, neither of them were “willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely,” said Dr Andreea Radu, who led the research.
This claim was rejected by both Apple and Visa, who said they took all security threats “very seriously”.
What do affected users need to do to protect their money?
Dr Tom Chothia from the University of Birmingham who co-authored the research said: “iPhone owners should check if they have a Visa card set up for transit payments, and if so they should disable it.
“There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are.”
Fellow co-author Dr Ioana Boureanu from the University of Surrey suggested some consumers ought to avoid Apple Pay altogether.
“We show how a usability feature in contactless mobile payments can lower security,” she said.
“But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which are both usable and secure.
“Apple Pay users should not have to trade off security for usability, but - at the moment - some of them do.”
Visa said its cardholders and those pairing its cards with Apple Pay “should continue to use them with confidence” as its studies into contactless fraud schemes over more than a decade had shown them to be “impractical to execute at scale in the real world”.
We want to hear from you: let us know what you think about this story and be part of the debate in our comments section below
A message from the editor:
Thank you for reading. NationalWorld is a new national news brand, produced by a team of journalists, editors, video producers and designers who live and work across the UK. Find out more about who’s who in the team, and our editorial values. We want to start a community among our readers, so please follow us on Facebook, Twitter and Instagram, and keep the conversation going. You can also sign up to our email newsletters and get a curated selection of our best reads to your inbox every day.