Large unauthorised contactless payments can be made on locked iPhones by exploiting an Apple Pay feature designed to help commuters pay quickly at ticket barriers.

Resarchers from the UK’s University of Birmingham and University of Surrey uncovered a technique in which attackers could bypass an Apple iPhone’s lock screen to access payment services and make contactless transactions. 

The issue occurs when Visa cards are set up in ’Express Transit’ mode in an iPhone’s wallet feature. The feature allows commuters to make quick contactless payments without unlocking their phone. 

The researchers explained that the issue, which only applies to Visa and Apple Pay, is caused by the use of unique code - nicknamed “magic bytes” - which is broadcasted by turnstiles and transit gates to unlock Apple Pay. 

In a video demonstration to the BBC, researchers were able to make payment of £1,000 without unlocking the phone or authorising the payment. 

Visa and Apple were approached by the researchers a year ago with their concerns, however the problem has not been fixed. Visa’s view was that this type of attack was “impractical”, adding that “Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence.

“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world”.

Apple told the BBC: “We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place”.

“In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy”.

However, Dr Andreea Radu, the University of Birmingham who led the research, explained that if the security fault remains unaddressed, it mighht become a real issue.