Threat Category: NFC-based
Threat Description: Certain NFC implementations may be vulnerable to relay attacks, which is where an attacker relays messages between two parties, similar to a proxy. This could be especially dangerous in NFC payment solutions, such as Apple Pay and Google Pay.
iOS Security: iOS 9.3 and Later 1
Practical NFC peer-to-peer relay attack using mobile phones. 2
To reduce opportunity for this attack, disable NFC when that feature is not in use.
To avoid this attack, do not activate - or if no longer in use, deactivate - native mobile payment features, such as Apple Pay.
To prevent this attack, ensure native payment services (e.g. Apple Pay) are configured to require user interaction to complete any contactless payment transaction.
iOS Security: iOS 9.3 or later, white paper, Apple, 2016. www.apple.com/business/docs/iOS_Security_Guide.pdf [accessed 8/24/16]. ↩
L. Francis et al., “Practical NFC peer-to-peer relay attack using mobile phones”, in Proceedings of the 6th International Conference on Radio Frequency Identification: Security and Privacy Issues, 2010, pp. 35-49; https://eprint.iacr.org/2010/228.pdf [accessed 8/24/2016] ↩