CISO Update #41
Apple Pay Security Flaw

This month, in recognition of National Cybersecurity Awareness Month and Halloween, we wanted to outline a “spooky” vulnerability in Apple’s Express Transit feature. Cybersecurity researchers from the University of Birmingham and University of Surrey have revealed a flaw which could allow hackers to bypass Apple’s security functions and make contactless payments even with the screen locked. The vulnerability also highlights how security often relies on multiple companies or partners to work together, and that problems occur when things fall through the cracks.

Express Transit is a feature that allows customers to make tap-and-go payments at transit stations all over the world. When the ticket reader scans the iPhone, it transmits a sequence of bytes that are capable of bypassing the iPhone lock screen for the commuter’s convenience. They refer to these as “magic bytes.” Researchers were able to mimic and easily falsify the ticket reader technology and steal money from the Visa cards stored inside the Apple Pay wallet. The theft would be undetectable to the iPhone owner, completely invisible, like a pickpocketing ghost.

So far neither Apple nor Visa have taken responsibility for the vulnerability, each organization citing their products are secure. Apple believes the concern lies with Visa’s system, but Visa responds that schemes targeting contactless payments are unrealistic on a larger scale. In the event an unauthorized payment does occur, it will be covered by Visa’s zero-liability policy. Cybersecurity researchers describe the flaw as a combination of issues with both Apple Pay and Visa’s system; neither entity would be able to address the issue alone. Until both entities come to the table to find a solution, the vulnerability will remain unpatched.

This vulnerability only exists if you have a Visa card stored in Apple Pay and set up to use Express Transit Mode. Dr. Tom Chothia, also at the University of Birmingham, advised ‌iPhone‌ users to check if they have a Visa card set up to use Express Transit and if so, to disable it. "There is no need for ‌Apple Pay‌ users to be in danger, but until Apple or Visa fix this, they are," Chothia said, meaning now that this vulnerability has been proven and published (with how-to videos) on numerous sites, it is only a matter of time before the bad guys start exploiting it. 

About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit and stay tuned for emails from for the latest from the Cybersafe campaign at FIT. Read past issues here.