Attackers Need Only a Smartphone With an Added Credit Card and Enabled Public Transport Schemes
Positive Technologies researcher, Timur Yunusov spoke at Black Hat Europe in London today about vulnerabilities in Apple Pay, Samsung Pay, and Google Pay. The flaws allow attackers to make unlimited purchases using stolen smartphones with enabled express transport schemes that do not require unlocking the device to make a payment. Until June 2021, рurchases could be made at any PoS terminals, not only in public transport. On iPhones, payments could be made even if the phone's battery is emptied.
Prior to 2019, Apple Pay and Samsung Pay did not allow payments unless the phone was unlocked with a fingerprint, facial ID, or PIN code. But today, it has become possible by using public transport schemes (or Apple's Express Transit mode). Between April 28 and May 25, 2019, more than 48.38 million train trips in London alone were paid for using contactless methods such as cards and mobile wallets. In 2018, New York subway passengers used contactless payments 3.37 billion times.
Timur Yunusov explains: "The main advantage of using public transport schemes is their convenience. Once you've added a payment card (Visa, Mastercard, or American Express) to your smartphone and activated it as a transport card, you can pay for trips on the subway or bus without unlocking your device. This feature is available, for example, in the U.S., the UK, China, and Japan. To perform the attack, smartphones with Samsung Pay and Apple Pay must be registered in these countries, but the cards can be issued in any other region. The stolen phones can also be used anywhere. The same is possible with Google Pay."
During the experiment, our experts consistently increased the amount of a single payment, stopping at GBP 101. However, banks most often do not impose additional restrictions and checks for payments made via Apple Pay and Samsung Pay, considering these systems sufficiently protected, so the amount can be significantly higher.
As Yunusov notes, even the latest iPhone models allowed us to make payments at any PoS terminal, even if a phone's battery was dead. This required a Visa card added to a smartphone with enabled Express Transit mode and a positive account balance.
According to Yunusov, due to the lack of offline data authentication (ODA), a stolen phone with an added Visa card and enabled public transport schemes can be used literally anywhere in the world at PoS terminals, for Apple Pay and Google Pay, without restrictions on amounts.
In his talk, Yunusov gave recommendations to developers of payment systems and mobile wallets to help better combat fraud related to lost and stolen smartphones. The identified flaws include problems with Apple Pay authentication and field validation, confusion in AAC/ARQC cryptograms, lack of amount field validation for public transport schemes and lack of MCC field integrity checks (which applies to all three payment systems and wallets), as well as Google Pay payments above No CVM limits.
Positive Technologies adheres to the principles of responsible disclosure: all of the vulnerabilities found are first made known to the software manufacturers. If a manufacturer does not reply us in writing within 90 days, we reserve the right to publish a part of our findings without mentioning information that would allow malefactors to exploit a discovered vulnerability.
Positive Technologies informed Apple, Google, and Samsung about the detected vulnerabilities in March, January, and April 2021, respectively. The companies informed us that they were not planning on making any changes to their systems but asked permission to share our findings and reports with the payment systems, assuring us they would notify them. We agreed, but no response was received from the representatives of the payment systems. Positive Technologies also tried to contact Visa and Mastercard technical specialists but never received a response. Meanwhile, in late September, another team of researchers from the UK's University of Birmingham and University of Surrey made and published some of the same conclusions previously made by Positive Technologies.
In 2017, Positive Technologies discovered security weaknesses in Apple Pay that could (and still can) allow fraudulent online payments using Apple Pay. In 2019, Positive Technologies researcher, Leigh-Anne Galloway and Tim Yunusov discovered flaws that allowed hackers to bypass the payment limits on Visa contactless cards and Google Pay mobile wallets with Visa cards. In 2020 and 2021, Positive Technologies reported vulnerabilities in Verifone, Ingenico, and PAX PoS terminals, some of which can be exploited remotely.