A security flaw in the Apple Pay system that attackers can use to bypass the lock screen and make fraudulent payments has been discovered by a UK research team.

According to the research — titled “Practical EMV Relay Protection” — the issue affects Visa cards linked to the contactless payment system when they are set up on an iPhone using Apple’s Express Transit mode.

Express Transit mode enables iPhone users to make swift contactless payments at transit barriers, such as gates or turnstiles — which emit a specific code signalling the iPhone to unlock Apple Pay.

Attackers can leverage the vulnerability in the payment system to bypass the passcode on an iPhone to make unauthorised payments.

According to the research team, the flaw only impacts Visa cards stored in the Apple Wallet.

“iPhone owners should check if they have a Visa card set up for transit payments, and if so they should disable it,” said Tom Chothia, a co-researcher from the School of Computer Science at the University of Birmingham.

“There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are.”

The team was able to complete a proof-of-concept test — using easy to find radio apparatus — that tricked an iPhone into thinking it was at a transit barrier, demonstrated here.

According to a ZDNet report, the researchers first informed Apple in October 2020 and then Visa in May 2021, with the flaw remaining unfixed.

Visa indicated that this kind of vulnerability is not new and is of little concern.

“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world,” Visa said.

“Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”

