Bugs in Apple Pay, Samsung Pay, and Google Pay allow unauthorized purchases

Positive Technologies expert Timur Yunusov spoke at the Black Hat Europe conference, where he presented details of investigating the bugs in the Apple Pay, Samsung Pay and Google Pay mobile payment systems.

Vulnerabilities that were discovered allow using stolen smartphones for unlimited purchases, if on them payment modes for public transport have been activated, as they do not require device unlocking. Until June 2021, purchases could be made at any POS-terminals, and not only in public transport. Even payment was available on the iPhone using a discharged device.

Until 2019, Apple Pay and Samsung Pay did not allow payments unless the phone was unlocked with a fingerprint, face ID, or PIN. Now there is such an opportunity, and it is called public transport schemes (“modes of payment in public transport” or Apple’s Express Transit Card mode).

One of the advantages of transport modes in smartphones that it is ease of use. After user has linked his bank card (Visa, MasterCard or, for example, American Express) to his smartphone and activated it as a transport card, he can pay for travel on the metro or on the bus without unlocking the device. This function is available, for example, in the USA, UK, China, Japan. To carry out the attack, Samsung Pay and Apple Pay smartphones must be registered in these countries, but the cards can be from any other region. Stolen phones can also be used in any region. Similar actions can be performed using Google Pay.explains Timur Yunusov.
Timur Yunusov
Timur Yunusov

During the experiments, the researchers consistently increased the one-time write-off, stopping at £ 101. However, banks most often do not impose additional restrictions and checks when making payments using Apple Pay and Samsung Pay, considering these mobile payment systems to be quite secure, so the amount charged can be much higher.

As Yunusov notes, even the latest Apple iPhones, including discharged ones, allowed making payments at any POS-terminals. To do this, will be needed a Visa card connected to a smartphone (with activated express transport card mode) and a positive balance on the account. Due to the absence at that time of the study of mandatory offline authentication (ODA Offline Data Authentication), a stolen phone with a connected Visa card and activated transport mode could be used literally anywhere in the world, at various POS terminals, both on Apple Pay, and and on Google Pay, no limit on the amount.

As for MasterCard cards, Positive Technologies specialists were able to reproduce a similar attack, taking advantage of a flaw discovered earlier by experts from the Swiss Higher Technical School of Zurich, but later, this shortcoming was eliminated. Nevertheless, currently, in order to make payments on stolen phones with attached MasterCard and American Express cards, attackers will need access to specially modified POS terminals.

During his speech, Yunusov gave recommendations to developers of payment systems and mobile wallets that will help them better fight against such fraud. Issues identified include Apple Pay authentication and field validation issues, confusion in AAC / ARQC cryptograms, lack of amount field validation for public transport schemes, and lack of MCC field integrity checks (applies to all three payment systems and wallets), Google Pay payments above limits NoCVM and so on.

Positive Technologies says it notified Apple, Google and Samsung of the problems in March, January and April 2021, respectively. The specialists of these companies replied that they were not going to make any changes to their systems, but asked permission to share the conclusions of the experts with representatives of the payment systems. Unfortunately, the latter never got in touch with Positive Technologies.

Researchers say they tried to contact technical specialists at Visa and Mastercard, but received no response. It should be noted that at the end of September, some of the above conclusions were repeated and published by another team of researchers – from the universities of Birmingham and Surrey.

Let me remind you that we also wrote that Hackers stole 1.5 million euros from a German bank by cloning customer EMV cards.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button