Vulnerabilities in Apple Pay, Samsung Pay and Google Pay allow attackers to make unlimited purchases using stolen smartphones enabled with express transport schemes.
To speed up the ticketing process, express transport scheme terminals don’t request an immediate online authorization, according to a research report by Positive Technologies that was presented at Black Hat Europe on Wednesday.
“The flaws allow attackers to make unlimited purchases using stolen smartphones with enabled express transport schemes that do not require unlocking the device to make a payment. Until June 2021, purchases could be made at any PoS terminals, not only in public transport. On iPhones, payments could be made even if the phone’s battery is emptied,” Timur Yunusov, a researcher from Positive Technologies, tells Information Security Media Group.
According to the report, the feature is available in the U.S., the U.K., China and Japan.
“To perform the attack, smartphones with Samsung Pay and Apple Pay must be registered in these countries, but the cards can be issued in any other region. The stolen phones can also be used anywhere. The same is possible with Google Pay,” Yunusov states.
Spokespersons for Apple, Samsung and Google Pay were not immediately available to comment.
Yunusov says that prior to 2019, Apple Pay and Samsung Pay did not allow payments unless the phone was unlocked using a fingerprint, facial ID or PIN code. But now, he says, it is possible to use a locked phone by using public transport schemes or Apple’s Express Transit mode.
“Between April 28 and May 25, 2019, more than 48.38 million train trips in London alone were paid for using contactless methods such as cards and mobile wallets. In 2018, New York subway passengers used contactless payments 3.37 billion times,” Yunusov notes.
Yunusov says it’s hard to confirm if any of the payment-related vulnerabilities were exploited in the wild, since banks do not share this information unless it’s a high-profile case.
According to the report, the main advantage of using public transport schemes is their convenience: Upon adding a payment card such as Visa, Mastercard or American Express to a smartphone and activating it as a transport card, one can pay for trips on the subway or bus without unlocking a device (see: Apple Pay-Visa Vulnerability May Enable Payment Fraud).
While investigating the flaw, Yunusov and his fellow researchers – Artem Ivachev and Aleksei Stennikov – increased the amount of a single payment, stopping at GBP 101 ($135.18). They say banks do not impose “additional restrictions and checks for payments made via Apple Pay and Samsung Pay, considering these systems sufficiently protected, so the amount can be significantly higher.”
Yunusov says the latest iPhone models allowed the researchers to make payment at any PoS terminal, even after the phone’s battery was dead. The models did require a Visa card to be added to a smartphone with enabled Express Transit mode and a positive account balance, he added.
“Due to the lack of offline data authentication (ODA), a stolen phone with an added Visa card and enabled public transport schemes can be used literally anywhere in the world at PoS terminals, for Apple Pay and Google Pay, without restrictions on amounts,” Yunusov notes.
The researchers were able to perform the same actions with a Mastercard, using a flaw found by ETH Zürich that they say was later eliminated. Now, the researchers say that the attackers need access to specially modified PoS terminals in order to make payments using stolen phones with Mastercard and American Express cards.
While explaining the flaws, Yunusov told ISMG that the root of all attacks is flaws in Europay, Mastercard and Visa – or EMV specification – and how mobile wallets such as Apple, Samsung and Google and tokenization services such as Visa and Mastercard interpret the specification differently.
One of the new attacks against EMV that the researchers discovered is the Cryptogram Confusion Attack, which uses different views on the cryptogram type from mobile wallets and cards from one side and authorization hosts from another.
”For this attack hackers take the payment cryptogram that is created by the mobile wallet to decline the transaction and use them to actually authorize NFC transactions,” Yunusov notes.
The researchers say that GPay allows high-value payments on locked phones using Visa cards and the cloning of Mastercard cards and that Google’s Android Security Team told them that it is aware of the issues but is not going to implement any fixes as the team expects to have some mechanisms to counteract the attacks.
“In 2019, after our first submission, they were sharing that they are planning to implement some changes, but no changes were implemented so far,” Yunusov notes.
Yunusov says his team informed Apple, Google and Samsung about the detected vulnerabilities in March, January and April 2021, respectively, and the companies said they were not planning on making any changes to their systems, but asked for permission to share the findings and report with the payment systems.
The researchers say they tried to contact Visa and Mastercard technical specialists but never received a response. In late September, a team of researchers from the University of Birmingham and the University of Surrey in the U.K. reached some of the same conclusions and published them.
Yunusov recommends passengers to be careful while using a transport/transit scheme with their phones.
“GPay allows payments on locked devices ‘by design’ so it’s even more dangerous,” he says. “But the overall answer: I would just recommend to keep a close eye on your transactions. And if you lose your phone, block all the cards issued on the mobile wallet and especially the one that is set by default, as it would be extremely hard to prove to the bank that you didn’t commit fraudulent transactions if they occur.”