That Express-ÖPNV function on iPhone and Apple Watch allows convenient ticket payment with supported transport companies through Apple Pay. One Visa card they can be stored here, for example, to pay for the trip at a ticket barrier with little effort. No need to unlock or reactivate the device. Therefore, validation via Face ID, Touch ID, or by code is not required.
Visa gap allows unwanted debits
As the BBC reported, security experts from the Universities of Birmingham and Surrey have now discovered a bug in the system. According to the researchers, the error can only be used if a Visa card has been selected as the means of payment. In laboratory tests, it was possible to “debit” £ 1,000. When using a MasterCard the error does not occur.
The BBC describes the attack in broad strokes, but deliberately omits important details so as not to make it too easy for would-be imitators. The first part of the system is the wireless hardware, which makes contact with the iPhone and acts as a barrier to entry for it.
The second part is an application developed by the researchers that runs on an Android smartphone. This app and smartphone combination sends the signals from the iPhone. It communicates at the same time with a conventional NFC terminal, as can be found in many stores.
Since that iPhone believes the user is paying at a barrier to entry, they do not have to unlock it. On the other hand, the forwarded communication from the iPhone with the NFC terminal is manipulated in such a way that the terminal sees an unlocked iPhone and has been approved for a payment.
The researchers said that the Android device and the NFC terminal do not need to be near the iPhone. “It can be on a different continent than the iPhone as long as there is an internet connection,” said Dr Ioana Boureanu from the University of Surrey.
Researchers have currently only performed the tests in the laboratory. There is also no indication that criminals are actively exploiting the lagoon.
Researchers warned companies long ago
According to the BBC, security experts signed up almost a year ago Apple and Visa reported and reported the error. Visa described the attack as “impractical”. Variations in contactless payment fraud have been investigated in the lab for more than ten years. This has shown that they are not practicable on a large scale. If you still see an unauthorized payment, take action protection Visa, so users do not have to pay for it.
Apple told the BBC: “We accept all threats safety the user very seriously. This is a problem with a Visa system, but Visa does not believe that this type of fraud is likely in the real world due to the multiple layers of security. ” As already mentioned, the researchers also tested the implementation with a registered Mastercard. In this case, you cannot take advantage of the lagoon.
If you want to be safe, you can use express public transport in the iPhone settings in Wallet and Apple Pay > Configure the express public transport card. You can find the Apple Watch settings on the iPhone in the Watch app at Wallet & Apple Pay> Express Public Transport Card. Apple offers a detailed Instructions for using express public transport a.
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.