A security flaw discovered by UK researchers allows thieves to steal up to $10,000 from a locked iPhone using Apple Pay's Express Transit feature, and neither Apple nor Visa seems eager to own the problem.
The vulnerability bypasses Visa's built in transaction limits when Express Transit is enabled. That's the feature designed to let you tap your phone at subway turnstiles without unlocking it, convenient for commuters, but a gift to anyone with a homemade NFC reader and bad intentions.
Here's the kicker: your phone can be completely locked, Face ID dormant, Touch ID idle, and a thief can still authorize a payment well beyond what transit systems normally allow. Researchers at the University of Birmingham and the University of Surrey demonstrated the attack using a custom NFC reader that mimics a transit terminal, tricking the phone into transmitting payment credentials without your biometric approval.
This isn't a universal Apple Pay meltdown. The exploit only works with Visa cards linked to Express Transit on iPhone. If you're using Mastercard, you're fine. Samsung Pay users? Also safe. It's a narrow technical crack, but it's a deep one.
The researchers went public with a full demonstration on the Veritasium YouTube channel, where they successfully extracted $10,000 from the locked iPhone of popular tech YouTuber Marques Brownlee (MKBHD). The video walks through the attack step by step, the kind of demonstration that makes you want to immediately open your Wallet app and start reviewing your settings.
Visa's official response boils down to: "This is a theoretical problem we don't expect to see in the wild, and even if it happens, you're covered." The company pointed to its zero liability policy, which reimburses cardholders for fraudulent charges. That's reassuring, until you think about the hassle of disputing a $10,000 phantom charge while you're just trying to get to work.
Apple, for its part, said the issue lies with the payment system, not the iPhone hardware. Translation: not our problem. Visa says it's a device issue. Apple says it's a payment network problem. Meanwhile, your phone is sitting there like a very expensive, very hackable transit pass.
Security experts recommend disabling Express Transit for Visa cards or removing the card from Apple Pay entirely until a fix arrives. It's not elegant, but it's effective. Go to Settings, tap Wallet & Apple Pay, select your Visa card, and turn off Express Transit Mode. You'll have to unlock your phone at the turnstile like it's 2015, but you won't wake up to a four figure charge from a transit system you've never visited.
As of now, neither Apple nor Visa has announced a timeline for patching the vulnerability. So for the moment, convenience loses to security, and honestly, that's the way it should be.
