Researchers have recently discovered a loophole in iPhones that allows hackers to make unauthorized contactless payments on locked mobile phones by exploiting an Apple Pay feature that’s supposed to help users pay quickly using their Visa cards, according to a BBC report Thursday (Sept. 30).
A video shows the researchers from the Computer Science departments of Birmingham and Surrey Universities making a contactless £1,000 (almost $1,350) payment from a locked iPhone, the report says, but Apple called the glitch “a concern with a Visa system.”
Visa, in turn, said its payments are secure and that hacks of this sort aren’t likely to happen outside of a lab.
The researchers say the loophole can be exploited on Visa cards set up in Express Transit mode — which allows contactless payments on a locked phone — in the user’s iPhone wallet.
The BBC outlined the basics of the attack, although it left out several of the key details to prevent a rash of copycats:
“We take any threat to users’ security very seriously,” Apple told the BBC. “This is a concern with a Visa system, but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.
“In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy,” the company said.
Related: Seven Years Later, Only 6% of People with iPhones in the US Use Apple Pay In-Store When They Can
PYMNTS research, which surveyed 3,671 people across the U.S., shows that 6.1% of consumers with Apple Pay activated on their iPhones use it in-store to pay for purchases.
Growth in total Apple Pay transactions since 2015 has come almost entirely from more stores having contactless terminals to accept it, more people having iPhones that can use Apple Pay and the overall growth in retail transactions.