The EMV Express Transit Security Trade-off

The Practical EMV Relay Protection paper authored by Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu and Liqun Chen, outlines a potential weakness with VISA cards when used with Apple Pay Express Transit. The BBC reported the issue which was then widely reported on Apple news sites. The authors and the BBC both frame the security issue as known by Apple, who say it’s a VISA system problem, and VISA who say the hack is only a lab project, not a real world problem. Ionut Ilascu on BleepingComputer had a concise summary:

The tests were successful only with iPhone and Visa cards. With Mastercard, a check is performed to make sure that a locked iPhone accepts transactions only from card readers with a transit merchant code.

Trying the method with Samsung Pay, the researchers found that transactions are always possible with locked Samsung devices. However, the value is always zero and transport providers charge for tickets based on data associated with these transactions.

The findings of this research have been sent to both Apple and Visa in October 2020 and May 2021, respectively, but neither fixed the problem.

Apple Pay with VISA lets hackers force payments on locked iPhones, BleepingComputer

Apple Pay uses a GlobalPlatform licensed secure element while Samsung Pay Knox technology uses a Trusted Execution Environment (TEE), it’s a flimsy apple vs orange comparison. A meaningful comparison should have compared iPhone with another secure element device, like Pixel using VISA. Because of the limited scope, it feels like an attention grabbing ploy as it involves iPhone, rather than meaningful security research.

The security paper authors concluded: “While either Visa or Apple implement a fix for the problem, we recommend users to not use Visa as a transport card in Apple Pay. If your iPhone is lost or stolen, activate the Lost Mode on your iPhone, and call your bank to block your card.” In other words, turn off the Express Transit Card option for VISA cards.

It is not Apple’s problem to fix but Apple set themselves up for this.

Steve Jobs said it best: designing anything is about choices and trade-offs. The Apple Pay that launched in 2014 was designed for credit cards with bio-authentication to authorize payment transactions. This changed in 2016 with the arrival of Suica, the first transit card on Apple Pay, and Express Transit. Express Transit and Express Mode emulate the way that transit cards and student ID are designed to work. The FeliCa and MIFARE protocols used for these cards are very secure and have a long history of safe prepaid smartcard use.

For a time, the Apple Pay security protocol design was clearly defined: EMV bank payment cards required bio-authorization for transactions while transit cards, ID cards and digital keys worked in Express mode without it.

All was good until iOS 12.3 and the arrival of EMV Express Transit that changed the rules so that credit cards could act like express mode transit cards too. No more Touch ID or Face ID authentication for using Apple Pay bank cards on Transport for London (TfL) and New York OMNY transit gates. It sounded like a good idea but Apple decided to promote these services by making EMV Express Transit ‘on by default’ when adding a credit/debit card to Wallet.

As any careful watcher of the OMNY rollout will tell you, there have been plenty of Express Transit problems, especially for MetroCard users. Most of whom have no idea Express Transit was a default on option. Express Transit issues continue to crop up as they did for Apple Card users recently with problems on the Mastercard network and Goldman Sachs side. Open loop transit comes with more downsides than promoters like to admit.

It boils down to this. When Apple activated EMV Express Transit and make it a default on, presumably to promote all kinds of Apple Pay cards for transit…cards that were never designed for it, it made Apple Pay susceptible to any and all bank card network security issues and glitches. Instead of Apple service quality or secure dedicated transit cards, the user ends up with bank and card company service level quality at the transit gate. In other words, EMV Express Transit quality is up to banks, not Apple nor the transit agency. It’s their card, they call the shots. That’s the trade-off that won’t go away.