Apple & Visa's $10k Wallet Flaw

An alarming security flaw allows hackers to drain thousands from a locked iPhone without any user interaction. Veritasium recently demonstrated this exploit live, successfully stealing $10,000 from MKBHD's device. This chilling man-in-the-middle attack leverages a critical logic gap between Apple Pay and Visa.

This vulnerability specifically targets Apple Pay's Express Transit mode, a convenience feature designed for rapid payments at subway turnstiles. This mode intentionally bypasses typical lock screen security, like Face ID or Touch ID, allowing users to simply tap their device to pay. The iPhone is inherently programmed to drop its security protocols when it detects a specific transit broadcast code, effectively opening a window for exploitation.

Attackers exploit this by deploying a specialized device, the Proxmark, to spoof the crucial subway gate signal. Researchers use the Proxmark to intercept a standard retail terminal signal, then cunningly flip a single binary bit from 0 to 1. This "transit lie" convinces the iPhone it is engaging with a legitimate transit gate, forcing it to entirely bypass the lock screen and process an unauthorized high-value retail transaction, disguised as a low-value transit tap, without user verification.

Researchers orchestrate the attack with a Proxmark device, first spoofing a transit broadcast code to trick a locked iPhone into believing it's at a subway turnstile. This initial transit lie bypasses the lock screen, opening the door for further manipulation. Next, the exploit executes the Value Lie: it intercepts the transaction signal and flips a single bit, changing a high-value flag to '0'. This deception convinces the iPhone a massive charge, like $10,000, is merely a low-cost transit tap, such as a $3 fare, circumventing value-based verification triggers.

The third and final step is the Verification Lie. As the iPhone responds internally with 'user not verified,' the sophisticated script intercepts this signal. It then flips a crucial binary bit from '0' to '1,' effectively fabricating user authorization. This modified response travels to the payment terminal, falsely confirming the transaction as legitimate and approved by the user.

Combined, these three sequential binary manipulations — the transit bypass, the value alteration, and the falsified verification — create a complete, fraudulent transaction. The bank processes and approves the charge without any explicit user interaction or biometric authentication. This sophisticated man-in-the-middle attack highlights a critical logic gap between Apple Pay and Visa, enabling attackers to drain thousands from a locked device.

Mastercard employs a fundamentally different security architecture for contactless payments. It mandates asymmetric RSA signatures for every single tap, creating a cryptographic lock on transaction data. This rigorous approach ensures any attempt to alter transaction details in flight immediately invalidates the signature, preventing fraudulent charges.

Visa, however, exhibits a critical protocol divergence, permitting certain online terminals to bypass these essential signature checks entirely. In this specific mode, crucial data bits, including the high/low value flag, remain unsigned and therefore modifiable by an attacker in a man-in-the-middle scenario. This allows the "value lie" to succeed, transforming a large sum into a seemingly small transit fare.

This sophisticated attack vector is not universal; it specifically targets the Apple Pay and Visa combination in Express Transit mode. Android-based payment systems, such as Samsung Pay, incorporate additional security layers that effectively thwart this type of bit-flipping manipulation. Researchers at the University of Surrey and University of Birmingham first highlighted this vulnerability years ago; for more details on the exploit, refer to New vulnerability in Apple Pay Express Transit mode could allow fraud.

The blame game leaves consumers exposed in a frustrating corporate standoff. Apple maintains the exploit is a fundamental Visa network problem, asserting responsibility lies with the payment processor's protocol. Visa, however, downplays the severity, claiming the reported fraud is too rare to warrant a dedicated patch and instead relies on its existing, post-transaction fraud detection systems. This creates a dangerous stalemate, leaving a known vulnerability unaddressed.

This inaction perpetuates a critical security gap. Researchers at the University of Surrey and University of Birmingham first publicly disclosed the sophisticated flaw in 2020, demonstrating its exploitability. Despite years passing since that revelation, neither Apple nor Visa has implemented a systemic fix, effectively pushing the entire burden of securing high-value transactions onto the individual user. The lack of resolution means the vulnerability persists across millions of devices.

Ultimately, only one actionable solution exists to safeguard your finances against this specific attack. Users must disable Express Transit mode for any linked Visa cards. To do this, navigate to iPhone Settings > Wallet & Apple Pay, then select your Express Transit card and toggle the feature off. This proactive step remains the sole defense against this unpatched vulnerability, ensuring your locked iPhone isn't an unwitting conduit for unauthorized charges.

What is the Apple Pay Visa exploit?

It's a man-in-the-middle attack targeting Apple Pay's Express Transit mode with Visa cards, allowing unauthorized high-value payments from a locked iPhone.

Why does this exploit only affect Visa cards?

Unlike Mastercard, Visa's protocols for this specific mode don't mandate cryptographic signatures for all transactions, allowing attackers to modify transaction data in transit.

How can I protect myself from this vulnerability?

The most effective way is to disable Express Transit mode for your Visa card. Go to Settings > Wallet & Apple Pay > Express Transit Card and select 'None'.

Have Apple or Visa fixed this issue?

No. Despite being aware of the flaw since 2020, both companies have declined to implement a patch, each stating the other is responsible for the fix.