British academics have discovered mobile security issues in Visa and Apple’s payment mechanisms, which could lead to fraudulent contactless payments.
On Thursday, academics from the University of Birmingham and the University of Surrey in the UK revealed a technique that allows potential attackers to bypass an iPhone’s lock screen to access payment services and conduct contactless transactions.
An article on this research, “Practical EMV Relay Protection“To be published at the 2022 IEEE Symposium on Security and Privacy. It was written by Andreea-Ina Radu, Tom Chothia, Christopher JP Newton, Ioana Boureanu, and Liqun Chen.
Transport Express
According to the article, the “vulnerability” exists when a Visa card is configured in mode. Transport Express in the Wallet of an iPhone. This mode exists for public transport users, in places where it is possible to pay directly with Apple Pay to access transport, to avoid users having to authenticate themselves when going through the gates.
According to the researchers, the problem, which only applies to Apple Pay and Visa, is due to the use of a unique code – dubbed “magic bytes” – which is broadcast by public transport gates to unlock Apple Pay.
Using standard radio equipment, they were able to carry out a relay attack, “making an iPhone believe it was talking to a transit portal,” according to the team.
Use “magic bytes”
The researchers carried out the experiment using an iPhone which had a Visa card, configured in Transport Express mode in the Wallet; a Proxmark, used as a reader emulator; an NFC-enabled Android phone, which served as a card emulator; and a payment terminal. The objective of the experiment was to see if it was possible to make a payment from a locked device to an EMV (smart payment) reader.
If the targeted card is nearby, the attack can be triggered by capturing and then broadcasting the “magic bytes”, then modifying a set of other variables, as explained below:
“When relaying EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, must be changed so that the bits (flags) for Offline Data Authentication (ODA) for Online permissions supported and EMV mode supported are enabled. “
“Offline data authentication for online transactions is a feature used in special readers, such as gateways to transit systems, where EMV readers may have intermittent connectivity and where online processing of a transaction cannot always take place. These modifications are sufficient to allow a transaction to be relayed to a non-transport EMV reader, if the transaction is less than the contactless limit. “
The attack has been demonstrated in this video. The experiment was performed with an iPhone 7 and an iPhone 12. Transactions above the contactless limit can also potentially be changed, but this requires additional value changes.
Who will take the responsibility?
The experiment is interesting, although in the real world, this attack technique is not necessarily feasible on a larger scale. It should also be noted that authorization protocols are only one layer of payment protection, and financial institutions often implement additional systems to detect suspicious transactions and mobile fraud. The overall level of fraud on Visa’s global network is recorded as less than 0.1%.
The researchers told ZDNet that they first contacted Apple on October 23, 2020. The team then contacted Visa in January, followed by a video call in February, and then a report was submitted to the platform. Visa vulnerabilities reported on May 10, 2021. But, even after discussing “at length” with both parties, who recognize the flaw, they say the problem is still not fixed.
“Our work shows a clear example of a feature, intended to gradually make life easier, that backfires and has a negative impact on security, with potentially serious financial consequences for users,” comments Andreea-Ina Radu. “Our discussions with Apple and Visa revealed that when two parts of the industry each have partial responsibility, neither is ready to accept responsibility and implement a fix, leaving users vulnerable indefinitely. “
A flaw that is difficult to exploit in reality
In this regard, Visa replied: “Visa cards connected to Apple Pay in Transport Express mode are secure, and their holders can continue to use them with confidence. Variants of contactless fraud schemes have been studied in the lab for over a decade and have proven impractical to perform at scale in the real world. Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem. ”
As for Apple, it had not yet answered our questions at the time of this article’s publication.
The research was conducted as part of the Trusted Computing Project TimeTrust and was funded by the UK’s National Cyber Security Center (NCSC).
Source : ZDNet.com
–
