April 24, 2026, 10:10 am | Read time: 3 minutes
Mobile payments with the iPhone have long been routine for many. A brief contact with the terminal is enough to complete the transaction. However, an experiment shows that this convenience also carries risks.
The science channel Veritasium, together with tech YouTuber Marques Brownlee, demonstrated that under certain conditions, payments can be triggered without the iPhone being unlocked. Particularly concerning is that this vulnerability has been known for over four years.
How the Demonstrated Attack Works
The focus is on the so-called Apple Pay Express Transit mode. This feature allows for quick payments in public transport without additional confirmation. The researchers exploited this simplification. The experiment used a man-in-the-middle attack. The iPhone is placed on a manipulated NFC reader that poses as a legitimate terminal. The device reads the payment data and forwards it to a laptop, where a script deliberately alters it.
After manipulation, the data was transferred to a prepared secondary device, in this case, a modified Android smartphone. When this is subsequently held to a real card reader, the payment is executed. This is based on the previously intercepted iPhone data. It is crucial that the manipulated reader uses the same terminal ID as a real public transport terminal. Only then does the iPhone accept the connection. In the experiment, a $5 charge was initially made, and later even $10,000.
You definitely didn’t know this iPhone Wallet hack yet
Card payments are more environmentally friendly than cash
Vulnerability Mainly Affects Visa Cards
The method is not new. It was already demonstrated in 2021 by security researchers from the universities of Surrey and Birmingham. It mainly affects Visa cards. The reason is that Visa does not use additional symmetric encryption for online-connected terminals. This allows transaction data to be intercepted and altered.
The prerequisite for the attack is an online-connected card reader. Such devices are usually operated offline in public transport, yet there is no mechanism to detect unusual processes. According to Apple, the company has no influence over this decision.
Also of interest: Online banking on Android? Experts sound the alarm
Few Countermeasures Despite Known Risks
Why Visa has not yet introduced additional protective measures remains unclear. According to Veritasium, the company assumes that such attacks do not play a significant role in practice. Additionally, there is the possibility of rejecting unauthorized payments retroactively. Security researchers view the situation more critically. They warned as early as 2021 about possible attack scenarios, especially with lost or stolen iPhones.
Checking your own settings can help reduce the risk. Especially when using the Express mode in public transport, it is worth checking which card is stored. For Visa credit card users, it may be advisable to disable the relevant setting or switch to another payment method. Without this link, the depicted attack is not possible in this form. This significantly reduces the risk–particularly in cases where an iPhone is lost or falls into the wrong hands.