A security researcher has shown that it is possible to make unauthenticated, cap-free payments with almost any wallet and card. As long as you have a hacked payment terminal on hand.
The security of mobile wallets is becoming a real bush.
Last October, researchers at the UK universities of Birmingham and Surrey revealed that Apple Pay allows unauthenticated payments without any limits with a Visa virtual card, as long as it is configured in "Debit card" mode. Express Transport".
This feature, in fact, is an exception to the mobile wallet security model where user authentication is the rule. It is intended to make fast payments in an urban transport network without authentication.
In this study, the researchers believed that this type of attack was only possible with the combination of Apple Pay and Visa.
At the Black Hat Europe 2021 conference, security researcher Timur Yunusov from Positive Technologies showed that the situation is actually much more complex than that. He looked not only at Apple Pay, but also Samsung Pay and Google Pay.
And he tried to combine them with the main cards in the market, namely Visa, Mastercard and Amex. Result: each time, he found a way to make an unauthenticated payment with no limit!
A methodical analysis...
To achieve this, the researcher relied on a “Man in the Middle” type flow interception and on various implementation weaknesses, generally data fields and cryptograms which are poorly validated in the protocol process.
In the case of the Google Pay wallet with Visa card, it was immediate. This flaw, which works with all payment terminals, was discovered at the end of 2019 and it has still not been corrected.
For all the other combinations, on the other hand, it is necessary to have a “modified” payment terminal , in other words hacked. This is indeed the only way to be able to modify certain data of the messages exchanged.
The need to have a hacked payment terminal obviously reduces the risk of fraud, but it does not eliminate it.
According to Timus Yunusov, the use of pirated payment terminals - and therefore fake merchant accounts - are common in hacker gangs, especially in Latin America.
This technique has been used for years to siphon money from stolen bank cards. It obviously requires a certain level of organization and is therefore not within the reach of the first hacker.
... but few reactions
Timur Yunusov communicated the results of his research to all stakeholders. But the answers he got are quite disappointing.
On the side of Apple, Google and Samsung, we often wash our hands. Publishers claim that the behavior of their "wallets" is as intended. In other words, if there is a problem, it is up to the card networks to solve it.
But the latter are very silent on the subject. Which does not mean that they do not act discreetly.
One of the flaws mentioned in the researcher's report was quietly patched by Mastercard after learning about it indirectly.