Security researcher: Flaw in Apple Pay, Samsung Pay and Google Pay makes fraud easy for thieves

3 years ago 307

Positive Technologies adept describes vulnerability linked to apps utilized to wage for nationalist transit tickets.

Woman utilizing mobile payments online buying  and icon lawsuit    web  transportation  connected  screen, m-banking and omni channel

Image: iStockphoto/ipopba

The equilibrium betwixt hands-free payments and the information standards required to support those transactions has tipped excessively acold successful the incorrect direction, according to a information expert. 

At a league astatine Black Hat Europe 2021 this week, Timur Yunusov,  a elder information adept astatine Positive Technologies, explained flaws successful contactless outgo apps that could pb to fraud utilizing mislaid oregon stolen mobile phones. Yunusov specializes successful outgo and exertion security.

The cardinal to this fraud is the convenience of paying for subway and autobus tickets without unlocking the phone, according to Yunusov. Users successful the U.S ., the U.K., China and Japan tin adhd a outgo paper to a smartphone and activate it arsenic a transport card. 

"To execute the attack, smartphones with Samsung Pay and Apple Pay indispensable beryllium registered successful these countries, but the cards tin beryllium issued successful immoderate different region," Yunusov said. "The stolen phones tin besides beryllium utilized anywhere, and the aforesaid is imaginable with Google Pay."

Yunusov and different Positive Technologies researchers tested a bid of payments to spot however overmuch wealth could beryllium spent connected a azygous transaction via this method. They stopped astatine 101 pounds. According to the researchers, "even the latest iPhone models allowed america to marque payments astatine immoderate PoS terminal, adjacent if a phone's artillery was dead," provided the telephone utilized a Visa paper for outgo and had enabled Express Transit mode.

SEE: Digital driver's licenses: Are they unafraid capable for america to trust?

Positive Technologies adheres to the principles of liable disclosure, which means that the bundle manufacturers are contacted with accusation astir the information hazard earlier the flaw is made public. If a shaper does not reply successful penning wrong 90 days, information researchers reserve the close to people findings without mentioning accusation that would let malefactors to exploit a discovered vulnerability.

Positive Technologies stated that Apple, Google and Samsung were notified astir the detected vulnerabilities successful March, January and April 2021, respectively. According to Positive Technologies, the companies said they were not readying to marque immoderate changes to their systems but asked support to stock the findings and reports with the outgo systems. The information institution besides said  its researchers contacted Visa and Mastercard method specialists but did not person a response. 

Visa cards whitethorn beryllium the astir vulnerable

Yunusov said a deficiency of offline information authentication allows this exploit, adjacent though determination are EMVCo specifications covering these transactions. 

"The lone occupation is that present large companies similar MasterCard, Visa and AMEX don't request to travel these standards erstwhile we speech astir NFC payments – these companies diverged successful the aboriginal 2010s, and everyone is present doing what they privation here," helium said.

Apple Pay, Google Pay and Samsung Pay apps are each susceptible to this threat. There does look to beryllium a quality if a idiosyncratic is utilizing a Visa paper for outgo alternatively of a Mastercard oregon American Express, according to Yunusov. 

"MasterCard decided that ODA is an important portion of their information mechanisms and volition instrumentality to it," helium said. "Therefore, each terminals crossed the globe that judge MC cards should transportation retired the ODA, and if it fails, the NFC transaction should beryllium declined."

Visa does not usage this ODA verification astatine each constituent of merchantability terminals, according to Yunusov, which creates the vulnerability. Researchers astatine the University of Birmingham besides described this flaw successful a paper, "Practical EMV Relay Protection."

TechRepublic has requested a remark from Visa astir this probe and volition update the nonfiction with the company's response. 

Fixing the flaw successful mobile wage apps

Yunusov said that telephone manufacturers and outgo companies request to enactment unneurotic to code this vulnerability. In reality, Apple and Samsung person shifted the liability to Visa and MasterCard, helium said, adjacent though the occupation is not with products from the outgo companies.  

"The mobile wallets are successful a saccharine spot – connected 1 side, they (payment companies) gain wealth from transactions and popularize their products," Yunusov said. "From different side, they archer customers if there's immoderate fraud, to interaction the issuing slope to inquire wherefore they allowed the payment." 

Yunusov said the solution to the occupation is to see price, merchant codification and telephone presumption for each transaction. He described the process this way: 

"If the outgo is for $0.00, the telephone is locked, and the MCC codification is transport, this is simply a morganatic transaction erstwhile idiosyncratic pays successful the subway. But if the outgo is $100, the telephone was unlocked (you could retrieve this accusation successful the transaction data), and the MCC is 'supermarkets,' which is suspicious, due to the fact that it should not beryllium imaginable for customers to wage successful supermarkets without unlocking the phone." 

He recommended that developers code these issues to amended the information of mobile wage apps:

  • Problems with Apple Pay authentication and tract validation
  • Confusion successful AAC/ARQC cryptograms
  • Lack of magnitude tract validation for nationalist transport schemes
  • Lack of MCC tract integrity checks 
  • Google Pay payments supra No CVM limits

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

Read Entire Article