During the first day of BlackHat Europe, Positive Technologies researcher Timur Yunusov described a number of vulnerabilities residing in payment services such as Apple Pay, Samsung Pay and Google Pay. According to the expert, the successful exploitation of these flaws would allow threat actors to make unrestricted purchases using the affected accounts.
The researcher began by recalling that, before 2019, systems such as Apple Pay and Samsung Pay required the user to enter a biometric ID to authorize the payment; now, users can use other solutions, including QR codes and, in Apple’s case, Express Transit mode.
According to the expert, the main advantage of using public transport systems is their convenience. Once the payment card is added to a smartphone, payments can be made without the need to authenticate or unlock the device; this function is mainly applied to the collection of public transport.
In their tests, the researchers proved to be able to perform multiple malicious transactions using this feature on smart devices. In the case of Apple devices, transactions could be completed from switched off devices without a battery.
On the position of the banks, the researchers point out that, because systems such as Apple Pay and Samsung Pay are considered sufficiently secure, no additional security measures are implemented.
This confirms a hypothesis that emerged a few months ago, which established that due to the absence of authentication measures in these systems, anyone could use a stolen smartphone and make payments at any point of sale (PoS) terminal capable of identifying the payment card linked to the device.
Among the security flaws identified by Yunusov are authentication errors, cryptography confusion, lack of integrity controls in MCC fields, compatibility errors with payment schemes in public transport and other failures.
In his report, Yunusov recommends that the developers of these payment systems reconsider the effectiveness of the measures currently taken, in addition to keeping their systems always updated and, where necessary, implement additional security measures in order to avoid the exploitation of these flaws the wild.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.