Apple iPhone 17
Getty ImagesApril 19 update. This post, first published on April 16, has been updated with more details of how the scam works and advice from experts on how to protect yourself.
An iPhone exploit has been in the spotlight recently that allows funds to be stolen from a mobile wallet, even if the phone is locked. What’s more, the amount of money that can be stolen is limited only by the balance of your account. Here’s all you need to know, including how to prevent it and why you shouldn’t panic just yet.
MORE FROM FORBES Apple iPhone 18 Pro Latest Leak Signals Significant Design Change By David Phelan
The exploit has been around for five years and tricks an iPhone into thinking it’s making a payment. Recently, a video from YouTube channel Veritasium has shown exactly how it works.
Why You Shouldn’t Panic
The first thing to say is it’s not a problem you will easily encounter as it requires in-person access to your phone and a bunch of specific equipment. Veritasium specifically said it’s not something likely to occur in the real world.
Second, this is not an iPhone issue — it’s related to the payment system used by Visa, not Mastercard and not American Express. Oh, and if you’re a Samsung user, you’re in the clear, as the exploit doesn’t work with Samsung Pay.
How It Works
The exploit works using the Express Transit mode on the iPhone as these transactions are made without the phone being unlocked. The iPhone needs to be tapped on an NFC card reader which is being used fraudulently. This transmits your iPhone’s payment data to a separate phone via a laptop. That is the first stage, but transit transactions are usually low-value, so a second phase addresses this. Then, additional security-dodging data is applied which allows higher-value transactions than Express Transit mode permits.
The second phone is then tapped on a regular card reader and the transaction completes. The Veritasium video shows this in action where Marques Brownlee watches at $10,000 is removed from his unlocked iPhone.
That amount is way more than any Express Transit transaction would normally be, obviously. With this exploit, the only upper limit to the amount that could be withdrawn would be the balance of the account, it’s explained.
The researchers from the University of Surrey and University of Birmingham who first discovered this exploit, Ioana Boureanu and Tom Chothia, came across it by recording data emitted from transit terminals like the ones used on the London Tube and then modifying it.
The modifications to the code were complicated but not particularly extensive, it seems.
What You Can Do
Again, don’t panic, it’s not going to happen unless somehow the payment terminal at your subway station, say, has a fraudulent card reader where the regular one should be. That’s really not going to happen — transit organizations watch the turnstiles closely and it’s not like scam card slots on an ATM.
The researchers pointed out that if a thief walked past you and brushed their fraudulent reader against your pocket, they could theoretically pull off the scam.
It’s if your iPhone is stolen, and the thief has the right equipment, that things could be problematic — remember it works on a locked iPhone.
So, you could turn off Express Transit mode on your iPhone, though it’s a convenient mechanism that is safe. Worth noting that Express Transit mode is on by default on your iPhone if you have a suitable card in your Apple Wallet.
Alternatively, as Veritasium and the researchers pointed out, you could pick a card for Express Transit mode that’s not from Visa.
“Visa also told Veritasium that the exploit was very unlikely from a scaled real world setting, and any such transactions can be disputed. The researchers who shared the exploit said users can protect themselves by not using a Visa card on the iPhone for transit purposes, MacRumors reported.
Veritasium reached out to Apple about the topic. “We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that
an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy,” Apple told Veritasium.
Apple has been consistent on this, with an identical statement being made to the BBC in September 2021 when this issue first arose.
When the BBC contacted Visa, the company said, “Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.”
It is possible, for example, that Visa's fraud detection systems would notice the unusual spending patterns and block them.
In the BBC report , several other details are mentioned. For instance, the phone used to relay signals from the iPhone to the payment terminal “can be on another continent from the iPhone as long as there's an internet connection,” said Dr Ioana Boureanu.
And the person who led the research for the University of Birmingham, Dr Andreea Radu, told the BBC that attacks formulated in the laboratory can also end up being used by criminals.
“It has some technical complexity — but I feel the rewards from doing the attack are quite high”, she explained. Interestingly, she, added that if unaddressed “in a few years these might be become a real issue.” Well, that was almost five years ago and while it hasn’t become a major issue, people are still talking about it.
Dr Tom Chothia also said then that disabling a Visa card from transit payments was a simple way to avoid issues. “There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this they are,” he said.
MORE FROM FORBES Apple iPhone Fold: Striking Design Revealed In Leaked Photos By David Phelan
This article was originally published on Forbes.com
