Raising fresh concerns over mobile payment security, a YouTuber has demonstrated a vulnerability in Apple’s tap-to-pay feature that could allow money to be transferred from a locked iPhone.
The issue, described as a “Man in the Middle” hack, uses multiple devices to trick an iPhone’s NFC system into believing it is interacting with a legitimate point-of-sale or transit terminal.
In a video by the YouTube channel Veritasium, Henry van Dyck showed how the flaw can be exploited. The demonstration involved executing a transaction from a locked iPhone belonging to tech YouTuber Marques Brownlee, also known as MKBHD. The device was placed on a third-party NFC reader called Proxmark, connected to a laptop.
The iPhone shared transaction data with the device, which was then modified using a Python script. This altered data was relayed to another phone, which completed the transaction on a PoS machine. The system was tricked into treating it as a valid interaction, leading to a successful transfer of funds.
Using this method, the YouTuber managed to transfer $10,000 (around ₹9,33,000) from an iPhone 17 Pro without unlocking or physically handling it.
Experts Ioana Boureanu and Tom Chothia explained that the issue is linked to Apple’s Express Transit Mode. This feature allows payments at transit terminals without unlocking the device. They warned, “The limit is how much money the person has in his or her bank account.”
The exploit works specifically with Visa transit cards due to the payment verification process. It involves modifying binary codes exchanged during transactions, including changing a value from “0” to “1” to mimic authenticated communication.
The demonstration also showed how attackers can alter transaction values to avoid biometric verification and trick PoS systems into assuming approval has been given.
The YouTuber claimed that certain transaction elements, including transit ‘magic bytes’ and EMV flags, are left unencrypted to support compatibility across systems.
Responding to the claims, Apple stated, “This is a concern with a Visa system.” The company added that Visa “does not believe” such fraud would occur “in the real world” and said users are protected under Visa’s zero liability policy.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
