Researchers say that large unauthorized payments can be made on Apple Inc’s (NASDAQ: AAPL) locked iPhones by exploiting Apple Pay’s “Express Transit” — set up to pay using Visa Inc (NYSE: V) cards.
What Happened: Researchers showcased the exploit in a video where they made a contactless Visa payment of GBP 1,000 ($1,344) from a locked iPhone, BBC reported.
The weakness was reportedly discovered by the researchers from the Computer Science departments of Birmingham and Surrey Universities.
See also: How To Buy Apple (AAPL) Shares
The exploit involves the use of a phone running the Android operating system made by Alphabet Inc (NASDAQ: GOOGL) (NASDAQ: GOOG) subsidiary Google and a small commercially available piece of radio equipment, as per the BBC.
The researchers approached both Apple and Visa with their concerns nearly a year ago but the problem has not yet been reportedly fixed.
Why It Matters: Express Transit allows commuters to pay for journeys using Express Travel — a feature that allows for payments without the need to unlock phones at public transit barriers.
The Android phone and payment terminal don’t need to be near the to-be-compromised iPhone.
“It can be on another continent from the iPhone as long as there’s an internet connection,” said Ioana Boureanu of the University of Surrey.
Ken Munro, a security researcher with Pen Test Partners, told the BBC that the “greatest worry is for a lost or stolen phone. The crook doesn’t have to be concerned about being spotted by others as they carry out the attack any more.”
Visa said this type of attack was “impractical.”
“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world,” said the payments processor.
Apple told the BBC, “We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.”
Researchers tested the exploit against Samsung Pay but it did not succeed. Mastercard Incorporated (NYSE: MA) was also tested, but the attack was prevented, as per BBC.
This month, Apple pushed out a critical security update for iPhone, iPad, Mac, and Apple Watch. The update was released after the University of Toronto’s Citizen Lab found an exploit dubbed “FORCEDENTRY.”
FORCEDENTRY exploit targets Apple’s image rendering library and allows the devices targeted to be infected with NSO Group’s Pegasus spyware.
Price Action: On Wednesday, Apple shares closed 0.65% higher at $142.83 in the regular session and rose nearly 0.4% in the after-hours trading. On the same day, Visa shares closed almost 0.4% higher in the regular session at $226.68 and fell 0.19% in the after-hours trading.
Read Next: Apple Posturing On Security Researchers Questioned As It Resumes Legal Battle Against iPhone-Emulation Developer
© 2021 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.