During the first day of BlackHat Europe, Positive Technologies researcher Timur Yunusov described a number of vulnerabilities residing in payment services such as Apple Pay, Samsung Pay and Google Pay. According to the expert, the successful exploitation of these flaws would allow threat actors to make unrestricted purchases using the affected accounts.

The researcher began by recalling that, before 2019, systems such as Apple Pay and Samsung Pay required the user to enter a biometric ID to authorize the payment; now, users can use other solutions, including QR codes and, in Apple’s case, Express Transit mode.

According to the expert, the main advantage of using public transport systems is their convenience. Once the payment card is added to a smartphone, payments can be made without the need to authenticate or unlock the device; this function is mainly applied to the collection of public transport.

In their tests, the researchers proved to be able to perform multiple malicious transactions using this feature on smart devices. In the case of Apple devices, transactions could be completed from switched off devices without a battery.

On the position of the banks, the researchers point out that, because systems such as Apple Pay and Samsung Pay are considered sufficiently secure, no additional security measures are implemented.

This confirms a hypothesis that emerged a few months ago, which established that due to the absence of authentication measures in these systems, anyone could use a stolen smartphone and make payments at any point of sale (PoS) terminal capable of identifying the payment card linked to the device.

Among the security flaws identified by Yunusov are authentication errors, cryptography confusion, lack of integrity controls in MCC fields, compatibility errors with payment schemes in public transport and other failures.

In his report, Yunusov recommends that the developers of these payment systems reconsider the effectiveness of the measures currently taken, in addition to keeping their systems always updated and, where necessary, implement additional security measures in order to avoid the exploitation of these flaws the wild.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Vulnerabilities in Apple Pay, Samsung Pay and Google Pay allow easy unauthorized purchases appeared first on Information Security Newspaper | Hacking News.


You May Also Like

31 critical vulnerabilities in Vim: Update immediately

Cybersecurity specialists report the detection of multiple vulnerabilities in the popular Vim…

Two important vulnerabilities ( CVSSv3 score > 7) in VMware ESXi, vCenter Server & Cloud Foundation

The leader in virtualization and cloud computing technologies, VMware, has released a…

2 unpatched vulnerabilities identified in Philips IntelliBridge EC40 and EC80 Hub that are used to transfer data been medical devices

A Philips security alert reveals the discovery of two vulnerabilities in the…