The flaw could let scammers to bypass security and make unlimited payments using the mobile system.
Researchers from the University of Birmingham and University of Surrey have urged iPhone and Apple Pay users to remove a Visa card feature from their devices.
The potential vulnerability can occur when a Visa card is set up in Express Transit mode. This means that card is set up as an Express Travel Card, according to the research.
During the study, simple radio equipment was used to trick the iPhone into thinking it was communicating with a transit gate. But instead, the device was actually connecting to a payment reader used by retailers.
By identifying a unique code broadcast by transit gates or turnstiles, researchers were able to interfere with device signals and instead use Apple Pay for card purchases elsewhere.
“iPhone owners should check if they have a Visa card set up for transit payments and if so they should disable it,” advised Dr Tom Chothia, co-author of the study, from the University of Birmingham.
“There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this they are.”
Fraud testing also found that it wasn’t possible to stop any payments going through.
Details of the research have been share with Apple and Visa but solution has not yet been agreed.
Researchers claim that both companies acknowledge the seriousness of the flaw.
However, Visa claim that cards are in fact safe when using Apple pat – urging cardholders to continue using both their cards and the feature “with confidence”.
“Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world,” a spokeswoman said.
“Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”
A spokesperson from Apple said: “We take any threat to users’ security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.
“In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa’s zero liability policy.”
“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said University of Birmingham’s Dr Andreea Radu, who led the study.
“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”
Results of the study are set to be presented next year in a paper at the 2022 IEEE Symposium on Security and Privacy.
Dr Ioana Boureanu – another co-author of the study- from the University of Surrey, added: “We show how a usability feature in contactless mobile payments can lower security.
“But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure.
“Apple Pay users should not have to trade-off security for usability, but at the moment some of them do.”
Don’t miss the latest news from around Scotland and beyond – Sign up to our daily newsletter here .