Using your phone to tap and pay for everything from public transport to supermarket shopping — and even higher-value items — is now routine, but researchers have highlighted a long-standing weakness that could be abused to drain a bank account.
Although the method is far from straightforward, cybersecurity specialists say there’s a serious issue in the way iPhones handle certain contactless payments — and it can reportedly be exploited even when the device is locked with the screen turned off.
Science and education YouTube channel Veritasium recently demonstrated the problem in a video, showing a test in which $10,000 was pulled from an iPhone within seconds using a small set of equipment.
The scenario primarily affects people who have a Visa card added to their phone. In theory, an attacker could place a modified reader close to the device and trigger a payment without the owner realizing immediately.
The technique is described as a “man in the middle” attack, where the criminal essentially intercepts and relays communications that would normally happen between a phone and a legitimate transit payment terminal.
Transit tap-to-pay readers — like those used at subway gates and bus stations — are different from typical contactless readers because they’re designed to work quickly without requiring you to unlock your phone first.
That convenience comes with risk: researchers have shown it may be possible to capture the wireless signals emitted by transit terminals and use them to trick an iPhone into treating the interaction as a transit fare payment, bypassing the usual unlock step.
In the Veritasium demonstration, two experts who identified the flaw in Apple’s tap-to-pay process helped illustrate how the weakness could be exploited. They explained that by making small adjustments to the payment-related binary on the device, an attacker could manipulate how the transaction is interpreted — even while the phone remains locked.
The vulnerability was uncovered by Ioana Boureanu of the University of Surrey and Tom Chothia of the University of Birmingham. They began by recording data transmitted by real transit terminals and then experimenting with modifications.
They found the issue specifically impacted iPhones configured with a Visa card, while other setups were not affected in the same way. The researchers argue a particular gap in the security interaction between the Apple device and the Visa card workflow could allow a payment amount to be altered — limited only by the funds available in the account.
Using equipment that makes a phone believe it’s near a transit gate, the attacker can intercept the phone’s response and then present altered data that makes a high-value purchase appear to the phone as a low-value transit transaction. In the test, that manipulation allowed $10,000 to be treated as though it were a small charge.
Even so, the process isn’t described as easy. Beyond the initial deception, additional steps are needed to get past Visa’s encryption checks so that the payment is accepted, and there are technical reasons the method works in the first place.
It’s also important context that this exploit has been publicly known since 2021 and depends on two key conditions: the target must be using an iPhone and must have a Visa card set up in a way that supports transit-style payments.
On top of that, the hardware and software arrangement is complicated. It involves a particular kind of reader connected to a laptop, plus a separate payment terminal used to submit the fraudulent transaction — meaning it could realistically take two people working together.
While it’s conceivable that knowledgeable criminals could assemble the tools and attempt it in public, they would still need to get physically close enough to hold the device against someone’s iPhone to initiate the payment.
Apple has been approached for comment.