Attackers need only a smartphone with an added credit card and enabled public transport schemes, Positive Technologies researcher Timur Yunusov said during the Black Hat Europe conference in London.
Prior to 2019, Apple Pay and Samsung Pay did not allow payments unless the phone was unlocked with a fingerprint, facial ID, or PIN code. But today, it has become possible by using public transport schemes (or Apple's Express Transit mode.)
According to Yunusov, vulnerabilities in Apple Pay, Samsung Pay, and Google Pay allow attackers to make unlimited purchases using stolen smartphones with enabled express transport schemes that do not require unlocking the device to make a payment.
“The main advantage of using public transport schemes is their convenience. Once you've added a payment card (Visa, Mastercard, or American Express) to your smartphone and activated it as a transport card, you can pay for trips on the subway or bus without unlocking your device. This feature is available, for example, in the US, the UK, China, and Japan. To perform the attack, smartphones with Samsung Pay and Apple Pay must be registered in these countries, but the cards can be issued in any other region. The stolen phones can also be used anywhere. The same is possible with Google Pay,” Yunusov explained.
Until June 2021, unauthorized рurchases could be made at any Point of Sale (PoS) terminal, not only in public transport.
Until June, attackers could make unauthorized purchases in any PoS terminal, and since then, they can only make unauthorized purchases if they possess a special PoS terminal. These scenarios are extremely popular in Latin American countries, where gangs open malicious merchant accounts to drain money from stolen cards,Yunusov explained, answering a CyberNews request.
During the experiment, experts from Positive Technologies consistently increased the amount of a single payment, stopping at GBP 101. However, banks most often do not impose additional restrictions and checks for payments made via Apple Pay and Samsung Pay, considering these systems sufficiently protected, so the amount can be significantly higher.
Unauthorized payments can be made even if a phone’s battery is dead. According to Yunusov, due to the lack of offline data authentication (ODA), a stolen phone with an added Visa card and enabled public transport schemes can be used literally anywhere in the world at PoS terminals, for Apple Pay and Google Pay, without restrictions on amounts.
As for Mastercard, Positive Technologies tried and succeeded in performing the same actions using a flaw found by experts from ETH Zürich. The vulnerability was later eliminated. Today, attackers need access to specially modified PoS terminals to make payments using stolen phones with Mastercard and American Express cards.
Positive Technologies informed Apple, Google, and Samsung about the detected vulnerabilities. The companies informed researchers that they were not planning on making any changes to their systems but asked permission to share their findings and reports with the payment systems, assuring us they would notify them.
Researchers also contacted Visa and Mastercard but haven’t received a response yet.
In September, another team of researchers from the UK's University of Birmingham and the University of Surrey published similar findings.
More from CyberNews:
Subscribe to our newsletter