| Last updated
Experts are urging iPhone users to remove any Visa cards from their Wallet app or Apple Pay, as a glitch could lead to criminals making unlimited contactless payments.
Researchers at the University of Birmingham and the University of Surrey have warned the new Express Transit mode could now be exploited by fraudsters to make payments from an iPhone inside someone’s bag.
The Express Transit mode is a feature implemented by Apple to allow users to tap in and out of transport systems without needing to unlock their device.
Researchers were able to ‘trick’ an iPhone into believing it was communicating with a transit gate, when it was actually using a common card payment reader used by shops, simply by using inexpensive radio equipment.
Fraud detection checks were also unable from stopping the payments from going through.
The weakness is not thought to affect other digital card combinations, such as Mastercard in iPhones or Visa on Samsung Pay.
Dr Tom Chothia, co-author of the study, from the University of Birmingham, said of the research: “iPhone owners should check if they have a Visa card set up for transit payments and if so they should disable it.
“There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this they are.”
Researchers claimed to have shared their findings with both Apple and Visa, but both are currently in disagreement over who should fix the issue.
A spokeswoman for Visa told the Independent: “Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.
“Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”
Meanwhile, an Apple spokesperson said: “We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.
“In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”
Full results of the study will be presented in a paper at the 2022 IEEE Symposium on Security and Privacy.
Chosen for YouChosen for You
Most Read StoriesMost Read