Reaction score
As Positive Technologies researcher Timur Yunusov said at the Black Hat Europe conference in London, attackers only need a smartphone with an additional credit card and enabled public transport schemes.

Until 2019, Apple Pay and Samsung Pay did not allow payments unless the phone was unlocked with a fingerprint, Face ID, or PIN. But today it is possible through the use of public transport schemes (or Apple's Express Transit mode).

According to Yunusov, vulnerabilities in Apple Pay, Samsung Pay and Google Pay allow attackers to make unlimited purchases using stolen smartphones with express transport schemes enabled that do not require the device to be unlocked to make a payment.

“The main advantage of using public transport schemes is their convenience. Once you've added a payment card (Visa, Mastercard, or American Express) to your smartphone and activated it as a transit card, you can pay for subway or bus rides without unlocking your device. This feature is available in the US, UK, China and Japan, for example. To carry out the attack, smartphones with Samsung Pay and Apple Pay must be registered in these countries, but the cards can be issued in any other region. Stolen phones can also be used anywhere. The same is possible with Google Pay,” explained Yunusov.

Until June 2021, unauthorized purchases could be made at any point of sale (PoS) terminal, not just public transport.