The balance between hands-free payments and the security standards required to protect those transactions has tipped too far in the wrong direction, according to a security expert.
At a session at Black Hat Europe 2021 this week, Timur Yunusov, a senior security expert at Positive Technologies, explained flaws in contactless payment apps that could lead to fraud using lost or stolen mobile phones. Yunusov specializes in payment and application security.
The key to this fraud is the convenience of paying for subway and bus tickets without unlocking the phone, according to Yunusov. Users in the U.S ., the U.K., China and Japan can add a payment card to a smartphone and activate it as a transport card.
“To perform the attack, smartphones with Samsung Pay and Apple Pay must be registered in these countries, but the cards can be issued in any other region,” Yunusov said. “The stolen phones can also be used anywhere, and the same is possible with Google Pay.”
Yunusov and other Positive Technologies researchers tested a series of payments to see how much money could be spent on a single transaction via this method. They stopped at 101 pounds. According to the researchers, “even the latest iPhone models allowed us to make payments at any PoS terminal, even if a phone’s battery was dead,” provided the phone used a Visa card for payment and had enabled Express Transit mode.
Positive Technologies adheres to the principles of responsible disclosure, which means that the software manufacturers are contacted with information about the security risk before the flaw is made public. If a manufacturer does not reply in writing within 90 days, security researchers reserve the right to publish findings without mentioning information that would allow malefactors to exploit a discovered vulnerability.
Positive Technologies stated that Apple, Google and Samsung were notified about the detected vulnerabilities in March, January and April 2021, respectively. According to Positive Technologies, the companies said they were not planning to make any changes to their systems but asked permission to share the findings and reports with the payment systems. The security company also said its researchers contacted Visa and Mastercard technical specialists but did not receive a response.
Visa cards may be the most vulnerable
Yunusov said a lack of offline data authentication allows this exploit, even though there are EMVCo specifications covering these transactions.
“The only problem is that now big companies like MasterCard, Visa and AMEX don’t need to follow these standards when we talk about NFC payments – these companies diverged in the early 2010s, and everyone is now doing what they want here,” he said.
Apple Pay, Google Pay and Samsung Pay apps are all vulnerable to this threat. There does seem to be a difference if a person is using a Visa card for payment instead of a Mastercard or American Express, according to Yunusov.
“MasterCard decided that ODA is an important part of their security mechanisms and will stick to it,” he said. “Therefore, all terminals across the globe that accept MC cards should carry out the ODA, and if it fails, the NFC transaction should be declined.”
Visa does not use this ODA verification at all point of sale terminals, according to Yunusov, which creates the vulnerability. Researchers at the University of Birmingham also described this flaw in a paper, “Practical EMV Relay Protection.”
A Visa spokesperson said in response to the research that Visa cards connected to mobile wallets with transit features are secure and that most contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world.
“Multiple layers of security are used to protect payments and consumers benefit from Visa’s zero liability guarantee,” the spokesperson said. “Visa takes all security threats seriously and continuously evolves its payment security capabilities to protect cardholders from the latest real-world threats.”
Fixing the flaw in mobile pay apps
Yunusov said that phone manufacturers and payment companies need to work together to address this vulnerability. In reality, Apple and Samsung have shifted the liability to Visa and MasterCard, he said, even though the problem is not with products from the payment companies.
“The mobile wallets are in a sweet spot – on one side, they (payment companies) earn money from transactions and popularize their products,” Yunusov said. “From another side, they tell customers if there’s any fraud, to contact the issuing bank to ask why they allowed the payment.”
Yunusov said the solution to the problem is to consider price, merchant code and phone status for every transaction. He described the process this way:
“If the payment is for $0.00, the phone is locked, and the MCC code is transport, this is a legitimate transaction when someone pays in the subway. But if the payment is $100, the phone was unlocked (you could retrieve this information in the transaction data), and the MCC is ‘supermarkets,’ which is suspicious, because it should not be possible for customers to pay in supermarkets without unlocking the phone.”
He recommended that developers address these issues to improve the security of mobile pay apps:
- Problems with Apple Pay authentication and field validation
- Confusion in AAC/ARQC cryptograms
- Lack of amount field validation for public transport schemes
- Lack of MCC field integrity checks
- Google Pay payments above No CVM limits
**Article updated on Nov. 15, 2021 with a comment from Visa.