At an event during Black Hat Europe 2021, Timur Yunusov, senior security expert at Positive Technologies, recently discussed bugs in contactless payment apps that could potentially lead to fraud involving lost or stolen mobile phones.

According to Yunusov, the key to this scam lies in the convenience of paying for subway and bus tickets without unlocking a mobile device. American, British, Chinese, and Japanese users can simply add a payment card to a smartphone and use it as a transport card.

“To perform the attack, smartphones with Samsung Pay and Apple Pay must be registered in these countries, but the cards can be issued in any other region,” said Yunusov. “The stolen phones can also be used anywhere, and the same is possible with Google Pay.”

Yunusov and his team tested a series of payments to see exactly how much could be spent on a single transaction using this method, and the team stopped at 101 pounds. “Even the latest iPhone models allowed us to make payments at any PoS terminal, even if a phone’s battery was dead,” provided the phone used a Visa card for payment and had Express Transit mode enabled.

According to Yusinov, a missing offline authentication of the data makes this exploit possible, although EMVCo specifications exist to secure these transactions.

“The only problem is that now big companies like MasterCard, Visa and AMEX don’t need to follow these standards when we talk about NFC payments – these companies diverged in the early 2010s, and everyone is now doing what they want here,” he said.

Apple Pay, Google Pay and Samsung Pay apps are all vulnerable to this threat.

According to Yusinov, MasterCard came to the conclusion that ODA is an important part of their security mechanisms and decided to stick to it. All terminals worldwide that accept MC cards should therefore carry out the ODA, and if it fails, the NFC transaction will be declined.