Errors allow unlimited purchases from Apple, Samsung, Google


Application security, endpoint security, fraud management, and cyber crime

Vulnerabilities affect smartphones with activated public transport

Prajeet Nair (@prajeetspeaks) •
November 11, 2021

Vulnerabilities in Apple Pay, Samsung Pay and Google Pay allow attackers to make unlimited purchases using stolen smartphones activated with express transport systems.

See also: Live webinar | Enforce Least Privilege Access on AWS Cloud Infrastructure with CIEM

In order to speed up the ticketing process, the terminals of express transportation systems do not request immediate online authorization, according to a research report Positive technologies that was presented at Black Hat Europe On Wednesday.

“The vulnerabilities allow attackers to make unlimited purchases with stolen smartphones with activated express transport systems, without the device having to be unlocked in order to make a payment. Until June 2021, purchases could be made at all PoS terminals, not just on public transport. On iPhones, payments can be made even if the phone’s battery is empty, “Timur Yunusov, a researcher with Positive Technologies, told the Information Security Media Group.

According to the report, the feature is available in the US, UK, China, and Japan.

Critical Findings

“To carry out the attack, smartphones with Samsung Pay and Apple Pay must be registered in these countries, but the cards can be issued in any other region. The stolen cell phones can also be used anywhere. The same is possible with Google Pay, ”says Yunusov Conditions.

Speakers from Apple, Samsung and Google Pay were initially not available for comment.

Yunusov says Apple Pay and Samsung Pay didn’t allow payments before 2019 unless the phone was unlocked with a fingerprint, face ID, or PIN code. But now, he says, it’s possible to use a locked phone on public transit or Apple’s Express Transit mode.

“From April 28 to May 25, 2019, more than 48.38 million train journeys were paid for using contactless methods such as cards and mobile wallets in London alone. In 2018, New York subway passengers used contactless payments 3.37 billion times, ”notes Yunusov.

Yunusov says it is difficult to confirm whether any of the payment-related vulnerabilities have been exploited in the wild, as banks do not share this information unless it is a high-profile case.

According to the report, the main advantage of using public transport is convenience: by adding a payment card such as Visa, Mastercard or American Express to a smartphone and activating it as a transport card, journeys in the subway or. be paid for bus without unlocking a device (see: Apple Pay Visa vulnerability could allow payment fraud).

Technical analysis

While investigating the bug, Yunusov and his fellow researchers – Artem Ivachev and Aleksei Stennikov – increased the amount of a single payment to £ 101 (135.18). They say banks do not “impose additional restrictions and checks on payments made through Apple Pay and Samsung Pay, given that these systems are sufficiently protected that the amount can be significantly higher.”

Yunusov says the latest iPhone models allowed researchers to pay at any PoS terminal, even when the phone’s battery was dead. The models required a Visa card to be added to a smartphone with Express Transit mode enabled and a positive balance, he added.

“Due to the lack of offline data authentication (ODA), a stolen phone with an additional Visa card and activated public transport can be used literally anywhere in the world at PoS terminals, for Apple Pay and Google Pay, with no amount restrictions,” notes Yunusov.

The researchers were able to perform the same actions with a Mastercard, exploiting a bug made by. was found ETH Zurich which they say was later eliminated. Now, according to the researchers, the attackers need access to specially modified PoS terminals in order to be able to pay with stolen cell phones with Mastercard and American Express cards.

While explaining the errors, Yunusov told ISMG that the root of all attacks are errors in the Europay, Mastercard and Visa or EMV specification and like mobile wallets like Apple, Samsung and Google and tokenization services like Visa and Mastercard the specification interpret differently.

One of the new attacks against EMV that the researchers discovered is the Cryptogram Confusion Attack, which uses different views about the cryptogram type from mobile wallets and cards from one site and authorization hosts from another.

“In this attack, hackers take the payment cryptogram created by the mobile wallet to reject the transaction and use it to actually authorize NFC transactions,” notes Yunusov.

The researchers say that GPay enables high quality payments on locked phones with Visa cards and cloning of Mastercard cards, and that Google’s Android security team has told them it is aware of the issues but will not make any fixes on how the team expected to have some mechanisms to counter the attacks.

“In 2019, after our initial submission, they announced that they were planning some changes, but no changes have been made so far,” notes Yunusov.

Responsible disclosure

Yunusov says his team informed Apple, Google and Samsung in March, January and April 2021, respectively, of the security vulnerabilities they discovered with the payment systems.

The researchers say they tried to contact Visa and Mastercard technical specialists but never received a response. In late September, a team of researchers from the University of Birmingham and the University of Surrey in the UK came to some of the same conclusions and published them.


Yunusov recommends passengers to be careful with their phones when using a transportation / transit system.

“GPay allows payments on locked devices ‘by design’, so it’s even more dangerous,” he says. “But the general answer: I would only recommend keeping a close eye on your transactions. And if you lose your phone, block all cards issued on the mobile wallet, especially the one that is set by default, as that would be extreme.” It’s hard to prove to the bank that you didn’t make fraudulent transactions when they do occur. “

Leave A Reply

Your email address will not be published.