Thursday, April 24, 2025
HomeComputer SecurityHackers Can Bypassed Apple Pay & Contactless limit to Make Large Visa...

Hackers Can Bypassed Apple Pay & Contactless limit to Make Large Visa Payments With Locked iPhones

Published on

SIEM as a Service

Follow Us on Google News

iPhone users can utilize Apple Pay to pay contactless for their purchases, and users can do this by unlocking their device and drawing it closer to the dataphone to initiate the transfer. But, now hackers have discovered a new way to hack Apple Pay and contactless limit to make large Visa Payments with locked iPhones.

Apart from this, it has a feature of Visa in which Visa gets enabled in Apple devices, that enables the users to pay outwardly contact and without unlocking the mobile.

This feature of Apple Pay is acquired by Visa, and it serves to streamline payments at the subway or bus turnstile, and it also enables the user to simply bring their device closer outwardly having to unlock it or open the application.

- Advertisement - Google News

Technical analysis

While the contactless Europay, Mastercard, and Visa (EMV) payments are one of the fastest as well as the easiest ways to make payments. And nowadays, people mostly prefer paying by all this because it counts as a standard way to pay.

Not only this, Apple Pay launched the “Express Transit/Travel” feature in May 2019, and this feature enables Apple Pay to be applied at a transport-ticketing barrier station without unlocking the phone.

Here are the key points:-

  • The Apple Pay lock screen can be avoided by any iPhone but it must have a Visa card set up in infiltration mode.
  • To exploit this bug a threat actor only requires a stolen, powered-on iPhone, to carry the attack.
  • This kind of attack is made attainable by a mixture of flaws in both Apple Pay and Visa’s system.
  • This bug does not affect these instances, Mastercard on Apple Pay or Visa on Samsung Pay.
  • The researchers said that they have found some formal information that shows that either Apple or Visa could mitigate this attack on their own.
  • For now, they have recommended users disable the Visa card set up in transit mode.

Apple Pay Transport Mode Attack

Apple Pay Transport mode attack is quite an active Man-in-the-Middle replay and relay attack. In this attack, the threat actors need an iPhone that must have a Visa card (credit or debit) set up as a “transport card.”

This type of attack requires close concurrence to the victim’s iPhone. And this attack can be achievable by holding the devices emulator near to the iPhone, and it can be done by stealing it or by finding a lost phone.

Recommendation for Apple Pay Transport Mode Attack

This vulnerability has been revealed already by the researchers to both companies, while to Apple in Oct 2020, and Visa in May 2021. But, still, there is no confirmation that which party will fix this bug.

However, experts have recommended users stop using the Visa as a transport card in Apple Pay, and if you have lost your iPhone then activate the Lost Mode, and also block your card by calling your bank.

Visa-L1 Attack

The visa-L1 attack is another attack, and this attack is done against Visa’s offered protection upon relay attacks. The Visa-L1 attack generally depends upon the inability of the threat actor.

Not only this but this kind of attack is possible just because of the protocol’s security that generally relies on a casual value send only from the card side, and it can later be manipulated.

Apart from this, this attack can be carried out with a pair of NFC-enabled Android phones, but, in this case, one of the devices needs to be rooted.

Recommendation for Visa-L1 Attack

This flaw is already reported to Visa, and they have affirmed that the Visa-L1 protocol is not yet implemented in commercial cards, so that’s why users should not be affected.

These kinds of threats are quite dangerous, as this kind of vulnerability concerns the Visa system. However, Visa does not accept that this type of scam can take place in the real world given the multiplied layers of security that are in the process.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Redis DoS Flaw Allows Attackers to Crash Servers or Drain Memory

A high-severity denial-of-service (DoS) vulnerability in Redis, tracked as CVE-2025-21605, allows unauthenticated attackers to crash...

Google Warns: Threat Actors Growing More Sophisticated, Exploiting Zero-Day Vulnerabilities

Google’s Mandiant team has released its M-Trends 2025 report, highlighting the increasing sophistication of...

Critical Langflow Flaw Enables Malicious Code Injection – Technical Breakdown Released

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-3248 with a CVSS score...

GitLab Releases Critical Patch for XSS, DoS, and Account Takeover Bugs

GitLab, a leading DevOps platform, has released a critical security patch impacting both its...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Is this Website Safe: How to Check Website Safety – 2025

is this website safe? In this digital world, Check a website is safe is...

Firefox 133.0 Released with Multiple Security Updates – What’s New!

Mozilla has officially launched Firefox 133.0, offering enhanced features, significant performance improvements, and critical...

Digital Wallets Bypassed To Allow Purchase With Stolen Cards

Digital wallets enable users to securely store their financial information on smart devices and...