According to a new research paper, it is possible to trick a locked iPhone into authorising a contactless payment for a Visa card of any amount, if the Visa card is enabled for Express Transit (which can be on by default in the UK)

Express Transit is a feature used by automated ticket gates on Transport for London underground stations and buses. When a smart phone which supports contactless payment is presented to the terminal, it is used to take payment for the journey just like swiping a contactless debit card.  Passenger flow is sped up by allowing the device to remain locked to authorise the transaction, reducing the time taken to pass through the ticket gate.

For Apple Devices, a transit mode transaction is initiated by the NFC terminal in the ticket gate sending a special series of bytes which tell the device this is a ticket gate, not a regular EMV terminal in a shop, and so the iPhone or Apple Watch will attempt to complete the transaction without requiring the device to be unlocked – provided there is a debit card in the wallet with Express Transit enabled in the settings.

If the card in question is a Mastercard, then when the transaction hits the Mastercard network a check will be performed to ensure the MCC (Merchant Category Code) in the transaction is set for a transport ticket gate. Visa, however, does not check this – meaning any class of merchant terminal could send in a transaction and have it authorised.

The researchers from the universities of Birmingham and Surrey, were able to trick a locked iPhone into authorising a £1000 contactless transaction without needing any user interaction, by injecting the transit identification bytes into the data flow between the iPhone and a regular EMV contactless card terminal.  This could be the contactless payment equivalent of the invention of the ATM card skimmer.  It may first appear technically challenging to do outside of the lab, but it probably won’t be long before criminals are attempting this technique in the wild.   The situation is not helped by both Apple and Visa claiming it is down to the other company to fix the problem.

Mastercards are not affected by this vulnerability, only Visa debit cards which have the Express Transit flag switched on in the iPhone’s settings.  To check, navigate to Wallet & Apple Pay in the Settings app and then tap Express Transit Card and tap None or off to disable the feature.

Samsung Pay enabled phones are not vulnerable in the same way because when the device is locked, only transactions for £0 can be authorised on the Samsung Phone.  TfL then sends an updated transaction amount through to the card network and this behaviour is only allowed for transit systems.

The paper which details this research is due to be presented at the 2022 IEEE Symposium on Security and Privacy.