Computer Science researchers from the University of Birmingham and the University of Surrey have released a report on the new cocktail of flaws on GitLab. Their research indicates that it’s possible for someone to generate fraudulent payments, even if the iPhone is locked. The risk comes from the mix of Apple Pay’s Express Transit (aka Express Travel) and Visa’s credit card system, meaning other credit card brands and payment methods are unaffected. The security loophole is specifically created when you have a Visa credit card set up for Express Transit, which allows contactless payments for mass transit purposes. According to the report, problems can arise if an attacker uses a contactless EMV reader like Clover or Square. With the right preparation, attackers would be able to “…bypass the Apple Pay lock screen, and illicitly pay from a locked iPhone.” Whether the phone is stolen or safely tucked away in a backpack, they can rack up fraudulent charges if they can get close enough. Both Apple and Visa have been made aware of the problem (in October 2020 and May 2021, respectively), but haven’t decided which one will implement a fix. Keep in mind that this security risk only will affect Express Transit/Travel users who have a Visa card set as their payment. If you use another payment service or Express Transit with a different kind of credit card, you won’t be affected. If you do use the service with a Visa card, it is highly recommended that you stop using Visa as your transport card and switch to something else for the time being.
