According to a group of academics from the Universities of Birmingham and Surrey, “The attacker requires no cooperation from the merchant and our test payments have not been prevented by backend fraud detection procedures. An attacker requires a stolen iPhone that is turned on. The transactions might also be communicated without their knowledge through an iPhone in their bag.
Contactless Payments by Europay, Mastercard, and Visa (EMV) are a quick and easy way to make purchases, and they are gradually becoming the typical method of payment. However, if payments can be conducted without user input, this expands the attack surface for attackers particularly relay attackers who can send messages between cards and readers without the owner’s awareness and allowing for fraud cases. Payments made using mobile apps usually require a user to validate their identity with a fingerprint, PIN number, or Face ID. As a result, relay attacks become less of a concern.
However, in May 2019, Apple Pay added the “Express Travel” is a feature that allows Apple Pay to be used at a transport-ticketing barrier station without unlocking the phone and explain the capability to get around Apple Pay’s lock screen and pay from a locked iPhone with a Visa card to any EMV reader, for any amount without the user’s permission.
Visa has also developed a system to prevent card-related relay attacks. We demonstrate how Visa’s proposed relay-countermeasure may be circumvented by employing two NFC-enabled Android phones, one of which is rooted.
Based on our observations that EMV distance bounds can be done more reliably at Level 1 than Level 3 and get a new resistance protocol, EMV application. With the help of Tamarin verify and establish the security of our L1RP protocol.
The attack has only been proven in the lab and there is no evidence that criminals are currently using the hacking .The BBC quoted Ken Munro, a security researcher of Pen Test Partners who was not involved in this research, as saying that it was “a really clever piece of research” that needed to be rectified as soon as possible.
According to his report, It’s analogous to having a contactless credit card terminal tapped against your wallet or pocketbook because it didn’t require a card terminal and depended on a small box of electronics to transmit the fraudulent transaction everywhere.
Finally An Apple representative told the BBC , Visa does not feel this type of fraud is likely to occur in the real world given in the various layers of security in place.