How hackers can drain your bank account with Apple and Samsung tap-and-pay apps
Perhaps it was unwise to relinquish control of my iPhone to Timur Yunosov, a Russian cybersecurity researcher who has developed a penchant for exploiting vulnerabilities in payment devices. Within minutes of handing it to him, Yunosov drained my already empty bank account, taking it into an overdraft, by simply tapping the locked device on a terminal.
Fortunately, Yunosov is a benevolent hacker who plies his trade with Moscow-based Positive Technologies (which is currently dealing with the fallout from US sanctions over alleged assistance to the Kremlin’s security agencies). He sent the money back not long after showing off the hacks, proving long-known, still unpatched vulnerabilities in an Apple Pay feature that lets people pay for transport options like the London Underground or New York transit with a quick tap and go, with you need not unlocking the phone.
Back in September, researchers at the universities of Birmingham and Surrey demonstrated the same attack as Yunosov. They had found a way to trick a phone into thinking it was allowing payments at a train turnstile, when in fact they could be used at any type of retail terminal, or one controlled by a hacker who could feed money straight into a criminal’s bank account.
But Yunosov didn’t just show what could be done on an Apple device, he also showed Forbes an attack on a Samsung phone. Although he was a little more complicated, with a stolen Samsung that uses the tap-and-go feature, he could take it home and drain it for money without having to unlock it. It’s not the same as his Apple hack, which might as well work in a store, with a so-called “man-in-the-middle” device that allows a locked device to be used at a regular payment terminal. But it still represents a threat to anyone who loses their Samsung device to a tech-minded crook.
The same method used to crack Apple Pay could have been used with a Samsung Pay account linked to a MasterCard until around June 2021. “But at some point they solved the problem quietly and didn’t inform me,” says Yunosov.
Just as it is for travelers, for criminals, it has the added benefit of the tap-and-go feature continuing to work when a phone has run out of battery and turned off. “If you use a Visa card on Apple Pay, anyone can take your phone – even uncharged – go to a luxury store on Bond Street and buy something with your phone,” Yunosov later explained to me over online messages. And there is no limit to how much can be transferred. In our demo it was only a few pounds, but it could run into the thousands in a real attack.
There are some obvious caveats. The hacks only work if the attacker has physical access to the phone. And since MasterCard and Google have taken some steps to address the issues, the hacks only work where Visa cards are the standard for mobile transport payments, says Yunosov.
Apple, Visa, MasterCard respond
Samsung had not commented at the time of publication. Overall, Apple and the credit card companies don’t think there’s much of a threat from these attacks in the real world.
An Apple spokesperson said: “This is a concern with a Visa system, but Visa does not believe this type of fraud is likely to occur in the real world given the many layers of security in place. In the unlikely event that an unauthorized payment occurs, has Visa made it clear that its cardholders are protected by Visa’s zero liability policy.”
A Visa spokesperson added: “Visa cards linked to mobile wallets with transit capabilities are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory environments for more than a decade and have proven to be impractical to execute at scale in the real world. Multiple layers of security are used to protect payments and consumers benefit from Visa’s zero-liability guarantee. Visa takes all security threats seriously and continuously develops its payment security features to protect cardholders from the latest real-world threats world.”
A MasterCard spokesperson said: “Cardholders can rest assured that payments with MasterCard are safe and secure; they are always protected whenever and wherever they choose to pay. Our fundamental priority is to deliver security in every MasterCard transaction. We use the the latest technologies across cyber, biometrics and AI to identify and stop the threat of fraud at every stage of the purchase process. . . . This academic scenario was brought to our attention via our Responsible Disclosure Program and although extremely limited outside a laboratory environment, we have addressed the potential problem.”
However, Yunosov believes the threat remains and is real. For all concerned, the best protection is simple: turn off the transport function.