A spectacular demonstration, led by YouTubers Veritasium and Marques Brownlee, brought a particularly worrying vulnerability to the forefront. By exploiting a function ofApple Paythey managed to simulate a theft of $10,000 on a perfectly locked device. This maneuver, although complex to implementexposes a very real risk for a specific category of users who are often unaware of its existence.
How does a simple transportation feature become a gateway?
The problem lies in the mode « Transport Express » of Apple Pay. Designed to simplify the lives of users on public transport, this option makes it possible to validate a transport ticket without having to authenticate via Face ID or a passcode. It is precisely this convenience that is abused by attackers.
Thanks to an interception technique known as “man in the middle”hackers use specialized equipment to make the device believe that it is interacting with a simple transport terminal. The signal is actually diverted, modified on the fly, then sent to a real payment terminal, thus authorizing an unsolicited transaction of a large amount via this impressive security hole.
Why does this vulnerability only affect certain users?
This attack only works under very specific conditions and therefore does not threaten all owners of an Apple smartphone. It exclusively targets users ofiPhone having configured a Visa network bank card in the “Transport” section of their Apple Wallet digital wallet.
Other systems and networks seem better protected facing this scenario. Samsung devices, for example, check the digital value of the transaction even in transport mode and systematically block any amount greater than zero. For their part, the cartes Mastercard incorporate an additional layer of security, asymmetric encryption, which prevents data manipulation and makes the attack ineffective.
Who is responsible and how can we protect ourselves effectively?
The situation is in a deadlock for almost five yearsdate of the first revelation of the flaw by cybersecurity researchers. Apple believes that the problem comes from Visa’s payment system, while Visa assures for its part that its fraud detection protocols make this type of attack very unlikely in real conditions. The two giants therefore pass the buck, leaving the vulnerability uncorrected.
The payment company reminds that customers are protected by a policy of “zero liability”guaranteeing a refund in the event of proven fraud. However, to avoid stress and long procedures, the simplest solution remains preventative. It is strongly recommended to deactivate “Express Transport” mode in your device settings, or, failing that, not to associate a card with it. Visa.
