Researchers say that large unauthorized payments can be made on Apple Inc’s AAPL locked iPhones by exploiting Apple Pay’s “Express Transit” — set up to pay using Visa Inc V cards.
What Happened: Researchers showcased the exploit in a video where they made a contactless Visa payment of GBP 1,000 ($1,344) from a locked iPhone, BBC reported.
The weakness was reportedly discovered by the researchers from the Computer Science departments of Birmingham and Surrey Universities.
See also: How To Buy Apple (AAPL) Shares
The exploit involves the use of a phone running the Android operating system made by Alphabet Inc GOOGL GOOG subsidiary Google and a small commercially available piece of radio equipment, as per the BBC.
The researchers approached both Apple and Visa with their concerns nearly a year ago but the problem has not yet been reportedly fixed.
Why It Matters: Express Transit allows commuters to pay for journeys using Express Travel — a feature that allows for payments without the need to unlock phones at public transit barriers.
The Android phone and payment terminal don’t need to be near the to-be-compromised iPhone.
"It can be on another continent from the iPhone as long as there's an internet connection," said Ioana Boureanu of the University of Surrey.
Ken Munro, a security researcher with Pen Test Partners, told the BBC that the “greatest worry is for a lost or stolen phone. The crook doesn't have to be concerned about being spotted by others as they carry out the attack any more."
Visa said this type of attack was “impractical.”
"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world,” said the payments processor.
Apple told the BBC, "We take any threat to users' security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.”
Researchers tested the exploit against Samsung Pay but it did not succeed. Mastercard Incorporated MA was also tested, but the attack was prevented, as per BBC.
This month, Apple pushed out a critical security update for iPhone, iPad, Mac, and Apple Watch. The update was released after the University of Toronto’s Citizen Lab found an exploit dubbed “FORCEDENTRY.”
FORCEDENTRY exploit targets Apple’s image rendering library and allows the devices targeted to be infected with NSO Group’s Pegasus spyware.
Price Action: On Wednesday, Apple shares closed 0.65% higher at $142.83 in the regular session and rose nearly 0.4% in the after-hours trading. On the same day, Visa shares closed almost 0.4% higher in the regular session at $226.68 and fell 0.19% in the after-hours trading.
© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Comments
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.
