Flaw in Apple Pay, Samsung Pay, Google Pay Allows Fraud

Share post:

At an event during Black Hat Europe 2021, Timur Yunusov, senior security expert at Positive Technologies, recently discussed bugs in contactless payment apps that could potentially lead to fraud involving lost or stolen mobile phones.

According to Yunusov, the key to this scam lies in the convenience of paying for subway and bus tickets without unlocking a mobile device. American, British, Chinese, and Japanese users can simply add a payment card to a smartphone and use it as a transport card.

“To perform the attack, smartphones with Samsung Pay and Apple Pay must be registered in these countries, but the cards can be issued in any other region,” said Yunusov. “The stolen phones can also be used anywhere, and the same is possible with Google Pay.”

Yunusov and his team tested a series of payments to see exactly how much could be spent on a single transaction using this method, and the team stopped at 101 pounds. “Even the latest iPhone models allowed us to make payments at any PoS terminal, even if a phone’s battery was dead,” provided the phone used a Visa card for payment and had Express Transit mode enabled.

According to Yusinov, a missing offline authentication of the data makes this exploit possible, although EMVCo specifications exist to secure these transactions.

“The only problem is that now big companies like MasterCard, Visa and AMEX don’t need to follow these standards when we talk about NFC payments – these companies diverged in the early 2010s, and everyone is now doing what they want here,” he said.

Apple Pay, Google Pay and Samsung Pay apps are all vulnerable to this threat.

According to Yusinov, MasterCard came to the conclusion that ODA is an important part of their security mechanisms and decided to stick to it. All terminals worldwide that accept MC cards should therefore carry out the ODA, and if it fails, the NFC transaction will be declined.

For more information, you may view the original story from TechRepublic.

Featured Tech Jobs


Related articles

Seattle software engineer ignites viral debate on employee loyalty with LinkedIn post

A Seattle-based software engineer, Alex Nguyen, recently ignited a significant debate on LinkedIn with a post that celebrated...

AT&T has nationwide service outage

AT&T's nationwide service outage, which disrupted the ability for many customers across the United States to place calls,...

Intel splits into two hoping to become world’s second-largest chip manufacturer

Intel's CEO Pat Gelsinger announced a major reorganization, splitting the company into two independent entities under the Intel...

US supports Japans ambitions to return to leadership in chip manufacturing

Japan has embarked on a monumental $67 billion initiative to reclaim its stature as a global semiconductor titan,...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways