Logo
Decide better.Live better.
Logo
Decide better.Live better.

iPhone Express Transit Flaw Lets Thieves Steal $10,000. Locked iPhone Visa cards can be tapped for fraud; Apple and Visa have no fix

iPhone Express Transit Flaw Lets Thieves Steal $10,000

Researchers at Birmingham and Surrey showed a custom NFC reader can abuse iPhone Express Transit, letting thieves pull up to $10,000 from locked devices using Visa cards. Apple blames the payment network, Visa points to device flaws, and neither has issued a patch. Users should disable Express Transit for Visa cards until a fix is released.

20 April 2026

News

Carter Brooks
banner

TLDR:

  • UK researchers found a flaw in iPhone’s Express Transit that lets thieves steal up to $10,000 from a locked phone using a homemade NFC reader.
  • The exploit works only with Visa cards enabled for Express Transit; Mastercard, other networks and Samsung Pay are unaffected.
  • Apple says it’s a payment‑system issue, Visa calls it a device problem; experts advise disabling Express Transit for Visa cards until a fix arrives.

A security flaw discovered by UK researchers allows thieves to steal up to $10,000 from a locked iPhone using Apple Pay's Express Transit feature, and neither Apple nor Visa seems eager to own the problem.

The vulnerability bypasses Visa's built in transaction limits when Express Transit is enabled. That's the feature designed to let you tap your phone at subway turnstiles without unlocking it, convenient for commuters, but a gift to anyone with a homemade NFC reader and bad intentions.

Here's the kicker: your phone can be completely locked, Face ID dormant, Touch ID idle, and a thief can still authorize a payment well beyond what transit systems normally allow. Researchers at the University of Birmingham and the University of Surrey demonstrated the attack using a custom NFC reader that mimics a transit terminal, tricking the phone into transmitting payment credentials without your biometric approval.

This isn't a universal Apple Pay meltdown. The exploit only works with Visa cards linked to Express Transit on iPhone. If you're using Mastercard, you're fine. Samsung Pay users? Also safe. It's a narrow technical crack, but it's a deep one.

The researchers went public with a full demonstration on the Veritasium YouTube channel, where they successfully extracted $10,000 from the locked iPhone of popular tech YouTuber Marques Brownlee (MKBHD). The video walks through the attack step by step, the kind of demonstration that makes you want to immediately open your Wallet app and start reviewing your settings.

Visa's official response boils down to: "This is a theoretical problem we don't expect to see in the wild, and even if it happens, you're covered." The company pointed to its zero liability policy, which reimburses cardholders for fraudulent charges. That's reassuring, until you think about the hassle of disputing a $10,000 phantom charge while you're just trying to get to work.

Apple, for its part, said the issue lies with the payment system, not the iPhone hardware. Translation: not our problem. Visa says it's a device issue. Apple says it's a payment network problem. Meanwhile, your phone is sitting there like a very expensive, very hackable transit pass.

Security experts recommend disabling Express Transit for Visa cards or removing the card from Apple Pay entirely until a fix arrives. It's not elegant, but it's effective. Go to Settings, tap Wallet & Apple Pay, select your Visa card, and turn off Express Transit Mode. You'll have to unlock your phone at the turnstile like it's 2015, but you won't wake up to a four figure charge from a transit system you've never visited.

As of now, neither Apple nor Visa has announced a timeline for patching the vulnerability. So for the moment, convenience loses to security, and honestly, that's the way it should be.

What is this about?

Feed