Security Exploit Could Allow Hackers to Steal Money via Apple Pay Express Transit from Locked iPhones

BY Chandraveer Mathur

Published 30 Sep 2021

Security researchers have discovered a new vulnerability with Visa cards that allows hackers to withdraw money from them when they are set as the default card for Express Transit in Apple Pay (called Express Travel in the UK).

The Express Transit feature on Apple Pay allows contactless transactions for public transport such as the London Underground. Since the transaction values are usually small and the daily transaction limit is capped, Express Transit does not require the user to authenticate transactions using Face ID or Touch ID. This also saves time and enhances convenience when tapping in and out at the train gates.

In a demonstration of the new vulnerability shared by The Telegraph, a hacker could trick this contactless system to perform arbitrary transactions and steal money from a locked iPhone without the user’s knowledge. However, for this to work, the hacker would need to be in physical possession or proximity of the victim’s device.

The researchers demonstrated that by mimicking a signal from a public transport terminal, the victim’s iPhone could be coerced into paying the hacker. However, the security researchers demonstrating this vulnerability were also able to bypass the cap on the maximum value of transactions and were able to process a £1,000 payment, all without requiring the victim’s authentication.

Apple noted that the fault is with Visa’s systems. The company added that any unauthorized payments would be covered by Visa’s zero liability policy.

“Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence,” a Visa spokesperson said. They added that variations of contactless fraud schemes have been studied in laboratory settings for over a decade and have “proven to be impractical to execute at scale in the real world.” The Visa spokesperson claimed that the vulnerability’s discovery did not mean people were at risk.

Although Apple is passing the blame over to Visa and Visa believes that customers are still secured, the exploit is specific to Visa cards set as the default for Express Transit on Apple Pay. Pairing a MasterCard or American Express card to Express Transit doesn’t put the user at risk.