During the first day of BlackHat Europe, Positive Technologies researcher Timur Yunusov described a number of vulnerabilities residing in payment services such as Apple Pay, Samsung Pay and Google Pay. According to the expert, the successful exploitation of these flaws would allow threat actors to make unrestricted purchases using the affected accounts.

The researcher began by recalling that, before 2019, systems such as Apple Pay and Samsung Pay required the user to enter a biometric ID to authorize the payment; now, users can use other solutions, including QR codes and, in Apple’s case, Express Transit mode.

According to the expert, the main advantage of using public transport systems is their convenience. Once the payment card is added to a smartphone, payments can be made without the need to authenticate or unlock the device; this function is mainly applied to the collection of public transport.

In their tests, the researchers proved to be able to perform multiple malicious transactions using this feature on smart devices. In the case of Apple devices, transactions could be completed from switched off devices without a battery.

On the position of the banks, the researchers point out that, because systems such as Apple Pay and Samsung Pay are considered sufficiently secure, no additional security measures are implemented.

This confirms a hypothesis that emerged a few months ago, which established that due to the absence of authentication measures in these systems, anyone could use a stolen smartphone and make payments at any point of sale (PoS) terminal capable of identifying the payment card linked to the device.

Among the security flaws identified by Yunusov are authentication errors, cryptography confusion, lack of integrity controls in MCC fields, compatibility errors with payment schemes in public transport and other failures.

In his report, Yunusov recommends that the developers of these payment systems reconsider the effectiveness of the measures currently taken, in addition to keeping their systems always updated and, where necessary, implement additional security measures in order to avoid the exploitation of these flaws the wild.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Vulnerabilities in Apple Pay, Samsung Pay and Google Pay allow easy unauthorized purchases appeared first on Information Security Newspaper | Hacking News.


You May Also Like

Critical remote code execution & buffer overflow vulnerabilities in Adobe Photoshop. Patch now

Cybersecurity specialists report the detection of two severe vulnerabilities in Adobe Photoshop,…

How Apple Mac users were spied upon easily according to Google Cyber Security Team?

Researchers at Google Threat Analysis Group (TAG) have revealed a report detailing…

CVE-2021-41163 Discourse forum software vulnerability can be very dangerous warns CISA

In a statement, the Cybersecurity and Infrastructure Security Agency (CISA) warned of…