TLDR;
This video reveals a security vulnerability in Apple Pay and Visa that allows bypassing the lock screen and making unauthorised transactions, even for large amounts. The hack exploits the Express Transit mode on iPhones and a lack of asymmetric verification by Visa for online transactions. While Apple and Visa acknowledge the issue, they consider it low-risk due to fraud protection policies and network-level defences. The video highlights the technical details of the hack, its limitations, and the broader implications for consumer security and responsibility.
- The hack involves intercepting and altering communication between the phone and card reader.
- It exploits the Express Transit mode on iPhones and the lack of asymmetric verification by Visa.
- Both Apple and Visa claim the risk is low and that customers are protected by fraud policies.
Stealing $10,000 From MKBHD [0:00]
The video starts with a demonstration of a hack where £10,000 is taken from Marques Brownlee's locked iPhone using a regular payment terminal. Despite the phone being locked and Marques not entering any verification, the transaction is approved. A smaller transaction of $5 is initially tested to show the process before attempting the larger amount. Marques expresses concern and surprise as the hack is successful, highlighting the potential security flaw.
How The Hack Works [4:04]
The video explains that the hack was developed by cybersecurity experts at the University of Surrey and made public in 2021. The hack involves intercepting the communication between the phone and the card reader using devices like the Proxmark and a burner phone. This setup allows for a "man-in-the-middle" attack, where the data is modified to trick both the phone and the reader into authorising the transaction. The process involves bypassing three layers of defence by telling lies to the phone and the reader.
High Value vs Low Value Transactions [8:29]
To bypass the need to unlock the phone, the hack exploits Apple's Express Transit mode, which allows for transit transactions without unlocking the phone. The Proxmark is used to broadcast a code that fools the iPhone into thinking it's a transit reader. To authorise the £10,000 payment without customer verification, the phone is tricked into thinking it's a low-value transaction by flipping a bit of information in the transaction data. This is possible because iPhones only look at a high/low value label rather than the numerical value.
Tricking The Card Reader [10:18]
The final step involves tricking the card reader into thinking the customer has verified the payment. The response from the iPhone is intercepted, and the bit of information indicating that customer verification hasn't been done is changed to show that it has been verified. This fools the reader into forwarding the information to the bank, which then authorises the payment. The video notes that the information isn't encrypted due to the need for compatibility with various devices.
Transit Mode [14:20]
The hack is possible due to a specific combination of an iPhone and a Visa card. iPhones decide whether to ask for customer verification based on the high/low value label from the reader. Samsung phones, for example, do not rely on this label and instead look at the actual numerical value of the transaction, rejecting high-value payments in transit mode.
Why does this hack only work with Visa? [15:22]
The hack works with Visa cards due to the different verification processes compared to MasterCard. MasterCard uses asymmetric cryptography, which involves a private key for the card and a public key for the reader, providing an additional layer of security. Visa, however, only requires this signature in certain situations, such as when the reader is offline. During the hack, the reader is kept online to avoid triggering this additional security layer.
How does RSA encryption work? [17:10]
The video explains how RSA encryption works, detailing the use of private and public keys. The card uses its private key to create a digital signature for the transaction, which the reader verifies using the public key. This process ensures that the signature came from the specific card for that transaction. MasterCard requires this asymmetric verification, which would prevent the hack, but Visa does not always require it.
How can you prevent this hack? [20:13]
The easiest way to prevent this hack is to turn off Express Transit mode or not have a Visa card in transit mode on an Apple device. Express Transit Mode is turned on by default as soon as a suitable card is added to the Apple wallet. The video also shows demonstrations of the hack on other individuals to further illustrate its potential impact.
What are Visa doing about it? [21:59]
Apple stated that this is a concern with the Visa system, but Visa does not believe this kind of fraud is likely to take place in the real world and that cardholders are protected by Visa's zero liability policy. Visa claims that the vulnerability is unlikely to be scalable in a real-world setting and that consumers can dispute transactions and get refunds. Despite this, the video argues that technical changes should be made to prevent the fraud from happening in the first place, rather than just relying on refunds. The video concludes by questioning whether the current system is good enough, given the potential stress and inconvenience caused by unauthorised transactions.
