Expert shows how easy it is to hack apple pay and Samsung tap. They can empty bank accounts

Timur Yunosov is a Russian cybersecurity researcher specializing in mobile security and payment system analysis. Working for Positive Technologies, Yunosov demonstrated how to exploit known vulnerabilities in Apple Pay to access the bank accounts of affected users without even unlocking their smartphones.

In addition to exploiting flaws in the affected payment systems, the attack also requires abuse of contactless payment terminals, eventually allowing the target device to be tricked into falsifying communication between the smartphone and an illegitimate payment terminal.

Apple’s payment system hasn’t been Yunosov’s only target of attack. In subsequent reports, the expert demonstrated how to compromise the security of a Samsung device to empty users’ accounts without having to unlock the device. While the attack works differently, the result is the same as in compromise apple systems.

Another report notes that the same method used to compromise Apple Pay could be used to hack into a Samsung Pay account linked to Visa and MasterCard payment cards, although the flaws appear to have already been addressed.

At the time of writing, Samsung had not issued any comment on these flaws, while Apple and payment operators consider that these are not exploitable flaws, so they will most likely not receive security patches.

An Apple representative mentioned, “This is a concern with a Visa system, but they don’t believe this type of fraud can happen in the real world given the multiple layers of security in place; in the unlikely event that an unauthorized payment is recorded, Visa has the mechanisms in place for its customers to report this malicious activity.”

Visa notes, “Visa cards connected to mobile wallets are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory environments for more than a decade and have shown that they are impractical to execute at scale in the real world.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.