Attacks and fixes in mobile contactless payments
Summary
Researchers from University of Surrey and University of Birmingham, working on the TimeTrust project, demonstrated a security vulnerability in mobile contactless payments. In this attack, concerning ApplePay and Visa, a perpetrator can use a mobile app to steal money out of an Apple Wallet, without unlocking the victim’s phone. Reported to Apple and Visa in 2021, this vulnerability is still live. The researchers proposed several solutions to prevent and stop such attacks, and are now also working with ISO/IEC for an amendment of the ISO/IEC 14443 standard to alleviate this problem in a particular way.
Researcher Profile