Thursday, March 28, 2024

Hackers Can Bypassed Apple Pay & Contactless limit to Make Large Visa Payments With Locked iPhones

iPhone users can utilize Apple Pay to pay contactless for their purchases, and users can do this by unlocking their device and drawing it closer to the dataphone to initiate the transfer. But, now hackers have discovered a new way to hack Apple Pay and contactless limit to make large Visa Payments with locked iPhones.

Apart from this, it has a feature of Visa in which Visa gets enabled in Apple devices, that enables the users to pay outwardly contact and without unlocking the mobile.

This feature of Apple Pay is acquired by Visa, and it serves to streamline payments at the subway or bus turnstile, and it also enables the user to simply bring their device closer outwardly having to unlock it or open the application.

Technical analysis

While the contactless Europay, Mastercard, and Visa (EMV) payments are one of the fastest as well as the easiest ways to make payments. And nowadays, people mostly prefer paying by all this because it counts as a standard way to pay.

Not only this, Apple Pay launched the “Express Transit/Travel” feature in May 2019, and this feature enables Apple Pay to be applied at a transport-ticketing barrier station without unlocking the phone.

Here are the key points:-

  • The Apple Pay lock screen can be avoided by any iPhone but it must have a Visa card set up in infiltration mode.
  • To exploit this bug a threat actor only requires a stolen, powered-on iPhone, to carry the attack.
  • This kind of attack is made attainable by a mixture of flaws in both Apple Pay and Visa’s system.
  • This bug does not affect these instances, Mastercard on Apple Pay or Visa on Samsung Pay.
  • The researchers said that they have found some formal information that shows that either Apple or Visa could mitigate this attack on their own.
  • For now, they have recommended users disable the Visa card set up in transit mode.

Apple Pay Transport Mode Attack

Apple Pay Transport mode attack is quite an active Man-in-the-Middle replay and relay attack. In this attack, the threat actors need an iPhone that must have a Visa card (credit or debit) set up as a “transport card.”

This type of attack requires close concurrence to the victim’s iPhone. And this attack can be achievable by holding the devices emulator near to the iPhone, and it can be done by stealing it or by finding a lost phone.

Recommendation for Apple Pay Transport Mode Attack

This vulnerability has been revealed already by the researchers to both companies, while to Apple in Oct 2020, and Visa in May 2021. But, still, there is no confirmation that which party will fix this bug.

However, experts have recommended users stop using the Visa as a transport card in Apple Pay, and if you have lost your iPhone then activate the Lost Mode, and also block your card by calling your bank.

Visa-L1 Attack

The visa-L1 attack is another attack, and this attack is done against Visa’s offered protection upon relay attacks. The Visa-L1 attack generally depends upon the inability of the threat actor.

Not only this but this kind of attack is possible just because of the protocol’s security that generally relies on a casual value send only from the card side, and it can later be manipulated.

Apart from this, this attack can be carried out with a pair of NFC-enabled Android phones, but, in this case, one of the devices needs to be rooted.

Recommendation for Visa-L1 Attack

This flaw is already reported to Visa, and they have affirmed that the Visa-L1 protocol is not yet implemented in commercial cards, so that’s why users should not be affected.

These kinds of threats are quite dangerous, as this kind of vulnerability concerns the Visa system. However, Visa does not accept that this type of scam can take place in the real world given the multiplied layers of security that are in the process.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles