Public transport Express Mode function on iPhone:YouTubers show potential attack
With Express Mode, you can quickly pay your ticket via NFC in subway systems like in London or New York. Is there a security vulnerability here?
Attack on Express Mode: Visa considers itself secured.
(Image: Veritasium / Screenshot YouTube)
iPhone and Apple Watch have a feature as part of Apple Pay that is intended to facilitate the use of public transport systems worldwide. With the so-called Express Mode, you only need to hold your device to the reader at the access gate, and it automatically triggers your ticket via a stored credit card. This works in the New York subway or in London, for example. Unlocking the Apple device via fingerprint, facial recognition, or PIN is not necessary if you have activated Express Mode.
But how secure is that? Would it be possible to make purchases on someone else's behalf using the credit card stored with Apple Pay? A video from the well-known science channel Veritasium has now investigated this more closely. The result: With (quite a lot of) effort and special hardware, as well as cards from a specific credit card issuer, a significant sum of money could be stolen from the well-known YouTuber MKBHD during a test run.
Problem known since 2021
The approach is not entirely new; as early as 2021, security researchers from the Universities of Surrey and Birmingham were able to demonstrate the procedure. However, little seems to have changed since then. The reason: Visa, the card issuer affected, believes it is unlikely that the attack will occur in practice. Furthermore, Apple told Veritasium that Visa stated that the usual payment protection applies. Affected individuals can therefore dispute the credit card charge, even if it is likely to be associated with a lot of hassle.
Videos by heise
The attack itself is a man-in-the-middle attack: the iPhone is placed on a manipulated NFC reader that presents itself as a legitimate public transport terminal. It wirelessly extracts payment data from the iPhone, which is then forwarded to a laptop where it is manipulated using a Python script. The information is then relayed to a burner device – apparently a rooted Android phone. The latter then actually executes the transaction when placed on a card reader – using the iPhone's data. The manipulated reader had to have the same terminal ID as a legitimate tap-to-pay terminal in a public transport station. The complex method does not work with MasterCard and American Express, as it is apparently less easy to forward legitimate data to the Android device.
iPhone allows sum as small amount
Interesting: One of the problems discovered by the researchers was that iOS, in its current form, apparently trusts that the NFC reader indicates that the requested amount is a small one. However, this is not actually checked; only a flag is read and believed. This is not the case with devices from other manufacturers, says Veritasium. This means that the iPhone could be tricked into believing it was a small payment, which is common for Express Mode, while $10,000 was actually debited.
It is unclear whether criminals actually use the complex method. Those who want to be on the safe side should not use the public transport Express Mode with Visa cards. Then the attack method should fundamentally not be possible.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
