Security researchers have discovered that it is possible to abuse the express transport convenience feature on smartphones with payments systems activated to make unlimited unauthorised purchases.
Russian security vendor Positive Technologies researcher Timur Yunusov presented his findings at Black Hat Europe in London yesterday, showing that Apple Pay, Google Pay, and Samsung Pay flaws made it possible for attackers to abuse the method, which is for use with public transport fare payments, and without unlocking devices.
Stolen smartphones could be used at any point-of-sale terminals until June this year, and not just public transport ones, Positive Technologies found.
Apple iPhones could even be used for payments with the battery fully depleted, the security vendor found.
Several countries allow public transport patrons to use their devices for fare payments, with no unlocking required.
This includes China, the United States, Japan, and the United Kingdom, and works as long as the phone in question is registered in one of those countries.
However, stolen phones can be used anywhere in the world for large payments although the researchers stopped at £101 (A$185) in their testing.
The flaw lies in the lack of offline data authentication, or ODA, for the smartphone payments systems.
The lack of ODA allows a stolen phone with a payments card added to it to be used anywhere in world, for unrestricted Google and Apple Pay transactions, Positive Technologies said.
Whether or not the flaws have been patched by Apple, Google and Samsung remains unclear, Positive Technologies said.
The security vendor made recommendations for the companies to better validate fields used by public transport payment schemes, but in September this year, researchers at the universities of Birmingham and Surrey repeated parts of Positive Technologies' tests and reached the same conclusions.
The three IT giants told Positive Technologies they would not make any changes to their systems.
They asked Positive Technologies to share its findings and reports with VISA and MasterCard, but no response was received from the latter two payment processors.
Earlier this year, Positive Technologies was sanctioned by the United States for engaging in harmful activities, allegedly sponsored by the Russian government.