Bugs in Apple Pay, Samsung Pay, and Google Pay allow unauthorized purchases
Positive Technologies expert Timur Yunusov spoke at the Black Hat Europe conference, where he presented details of investigating the bugs in the Apple Pay, Samsung Pay and Google Pay mobile payment systems.
Vulnerabilities that were discovered allow using stolen smartphones for unlimited purchases, if on them payment modes for public transport have been activated, as they do not require device unlocking. Until June 2021, purchases could be made at any POS-terminals, and not only in public transport. Even payment was available on the iPhone using a discharged device.Until 2019, Apple Pay and Samsung Pay did not allow payments unless the phone was unlocked with a fingerprint, face ID, or PIN. Now there is such an opportunity, and it is called public transport schemes (“modes of payment in public transport” or Apple’s Express Transit Card mode).
During the experiments, the researchers consistently increased the one-time write-off, stopping at £ 101. However, banks most often do not impose additional restrictions and checks when making payments using Apple Pay and Samsung Pay, considering these mobile payment systems to be quite secure, so the amount charged can be much higher.
As Yunusov notes, even the latest Apple iPhones, including discharged ones, allowed making payments at any POS-terminals. To do this, will be needed a Visa card connected to a smartphone (with activated express transport card mode) and a positive balance on the account. Due to the absence at that time of the study of mandatory offline authentication (ODA Offline Data Authentication), a stolen phone with a connected Visa card and activated transport mode could be used literally anywhere in the world, at various POS terminals, both on Apple Pay, and and on Google Pay, no limit on the amount.
As for MasterCard cards, Positive Technologies specialists were able to reproduce a similar attack, taking advantage of a flaw discovered earlier by experts from the Swiss Higher Technical School of Zurich, but later, this shortcoming was eliminated. Nevertheless, currently, in order to make payments on stolen phones with attached MasterCard and American Express cards, attackers will need access to specially modified POS terminals.
During his speech, Yunusov gave recommendations to developers of payment systems and mobile wallets that will help them better fight against such fraud. Issues identified include Apple Pay authentication and field validation issues, confusion in AAC / ARQC cryptograms, lack of amount field validation for public transport schemes, and lack of MCC field integrity checks (applies to all three payment systems and wallets), Google Pay payments above limits NoCVM and so on.
Positive Technologies says it notified Apple, Google and Samsung of the problems in March, January and April 2021, respectively. The specialists of these companies replied that they were not going to make any changes to their systems, but asked permission to share the conclusions of the experts with representatives of the payment systems. Unfortunately, the latter never got in touch with Positive Technologies.
Let me remind you that we also wrote that Hackers stole 1.5 million euros from a German bank by cloning customer EMV cards.