Researchers were able to pull $10k from a locked iPhone via a trick that requires physical device access, perfect circumstances, and specialized hardware. Don't let fearmongering convince you to turn off Transit Mode.
Fear is one of the most prevalent emotions to utilize when looking to make some content go viral. If you watched TV in the past 40 years, a lot of late-night news broadcasts thrived on the "but it could happen to you" plot devices.
YouTube is no stranger to using fear as a tactic, and one of the biggest tech YouTubers, Marques Brownlee, let the channel Veritasium steal $10k from his locked iPhone in a video. It utilized a man-in-the-middle technique where transaction handshakes are intercepted between an iPhone and payment terminal.
Let's get this out of the way right at the top. It isn't going to happen to you, nor do you need to take any action to safeguard yourself from this very unlikely scenario.
Here's the video in full:
In the simplest of terms, this hack requires your locked iPhone to be placed on an NFC reader connected to the bad actor's laptop. So, in other words, your iPhone needs to already be stolen.
Also, you need to have specifically a Visa card attached to the Express Transit slot in your Apple Wallet. That is because the entire process relies on a flaw in Visa's security protocols, not Apple's.
If those conditions are met and the bad actor initiates a payment on an also-hacked payment terminal, the requested funds will be authorized and go through. It isn't very sophisticated, but it does require very specific conditions to be met.
To be clear, there are much more effective ways to steal someone's money using technology. If you're being targeted at random, like with a gas station card skimmer, there's no real protection from that either.
If you've been targeted specifically because you might have a lot of money, this technique isn't really going to work either. You'd have to have kind of a Goldilocks situation where your target was wealthy, had an iPhone, and used a Visa card in Express Transit. And gave you the phone.
Even then, whatever was stolen would be refunded thanks to Visa's fraud protections. Sure, it could create an inconvenient situation for the cardholder, but it is also a situation that is easily resolved.
Take no action
The video goes out of its way to suggest that users protect themselves by turning off Express Transit. It also tries to partially blame Apple and attacks the idea of Express Transit being enabled by default.
The loophole is too specific to be of any use to thieves
One of the biggest benefits of Express Transit is being able to use your Apple Pay card even when the iPhone's battery has been exhausted. Turn off Express Transit to protect from this improbable threat, and you lose an incredibly useful feature.
The researchers also acted like it would be trivial to set up a public theft device that could perform this action from your pocket. Given what you can witness yourself from this video, it seems like that wouldn't work.
The device needs prolonged contact while the transaction is taking place, and the thief resting a device on your pocket would have to make sure their collaborator initiated a payment and tapped their hacked terminal all at once. All of this taking place over a local wireless connection too.
As I said before, the most likely use case for such a hack is via a stolen device. Perhaps a thief could grab your iPhone, run to a hidden location, and perform the illicit transaction before you notice and lock your device via Find My.
Of course, that's if you have a Visa card in the Express Transit mode.
Let's call this a neat trick and move on with our lives. If a mass theft effort breaks out due to this highly specific vulnerability, AppleInsider will let you know.
The vulnerability was first shared with the public in 2021. Mass fraud hasn't occurred with it, and probably won't ever.
Visa stands by its stance that it is a problem of so little consequence that expending the manpower to patch it is more costly than refunding money if someone is targeted.
