Expert exposes tap-to-pay flaw that can steal thousands from a locked iPhone
William Morgan
Featured Image Credit: YouTube/Veritasium
Tapping your phone to pay for everything from riding the subway to groceries and even larger purchases has become a regular part of our everyday lives, but a major exploit has been around for years that can use this technology to empty your bank account.
Though quite complicated to carry out, cybersecurity experts have identified a major flaw in the process through which your iPhone deploys this tap-to-pay feature, with this flaw even being exploitable when your device is locked and the screen is off.
Educational YouTube channel Veritasium recently featured this terrifying contactless payment hack in a video, even extracting a whopping $10,000 from a test case's iPhone in just a matter of seconds using a couple of devices.
This can happen to anyone who has linked a Visa card on their phone, with hackers only having to press a specialized card reader against your device to snatch thousands of dollars without you even noticing.
Advert
The hack is classified as a 'man in the middle attack', as it depends on the thief intercepting a signal that would normally tell your phone that it is interacting with a mass transit terminal.
These tap to pay card readers, often found at the entrance to subways or at bus terminals, are unique in the world of contactless card readers as they do not even require you to unlock your screen to pay for your journey.
While this is very handy when you're rushing for public transport, ingenious cybersecurity experts have figured out how to capture the wireless signals put out by these transit terminals. Which fools your iPhone into thinking it is making a travel payment, meaning you do not need to unlock it.
Veritasium worked with two experts who discovered this flaw in Apple's tap to pay software to show off this exploit, explaining how a few minor changes in the computer binary that your iPhone uses to make a payment can allow hackers to take as much as they like, all while your phone is locked.
Ioana Boureanu from the University of Surrey and Tom Chothia from the University of Birmingham first discovered this exploit by recording the data being emitted by mass transit terminals and then tweaking it.
They realized that iPhone users with a Visa card set up on their phone were vulnerable to this exploit, while others were not, as a specific security flaw between the Apple product and the bank card allows them to charge any amount they like - so long as it is actually in that account.
So using a device that tricks a phone into thinking it is near a transit terminals, they were able to then intercept the signal sent back by your phone to convince it that it was about to make a low-value payment, which they'd altered in the binary so putting through $10,000 would register as a small amount of money.
This is not to say that this hack is simple, there are even more complicated steps that involve fooling Visa's encryption to allow the payment to go through, and reasons for why it works.
But it is worth remembering that, while this exploit is very real and has been known since 2021, it does require you to have two specific things to make it work - an iPhone and a registered Visa card for transit purposes.
Furthermore, the technical set up for this scam is quite complex, requiring a specific type of card reader that is connected to a laptop, and a payment terminal to put through the bogus payment. This would likely require two people to pull off.
It is not impossible that tech-savvy thieves could figure out this set up and even use it against people, but they would have to get close enough to press their hacking device against your iPhone to make the payment in the first place.
Apple has been approached for comment.