Security Experts Warn of Apple Pay Express Transit Hack That Enables Large Unauthorized Visa Payments From Locked iPhones

Researchers in the U.K. have demonstrated how large unauthorized contactless payments can be made on locked iPhones by exploiting Apple Pay's Express Transit feature when set up with Visa.

apple pay express transit london
Express Transit is an ‌Apple Pay‌ feature that allows for tap-and-go payment at ticket barriers, eliminating the need to authenticate with Face ID, Touch ID, or a passcode. The device does not need to be wakened or unlocked to use Express Transit.

Computer Science researchers from Birmingham and Surrey Universities demonstrated to the BBC how the attack works by exploiting a weakness in the Visa contactless system through the use of a small piece of commercially available radio equipment, which is placed near the phone and masquerades as a ticket barrier.

An Android phone running an app developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal and modifies the communications to fool the terminal into acting as if the ‌iPhone‌ has been unlocked and a payment authorized.

In demonstrating the attack, researchers made a contactless Visa payment of £1,000 from a locked ‌iPhone‌. The scientists only took money from their own accounts. The researchers said the Android phone and payment terminal used don't need to be near the victim's ‌iPhone‌ as long as there's an internet connection.

Apple told the BBC the matter was an issue with the Visa system.

"We take any threat to users' security very seriously," said Apple. "This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy."

The researchers said the attack might be easiest to deploy against a stolen ‌iPhone‌, although there's no evidence that the hack has been used in the wild. Visa said payments were secure and attacks of this type were impractical outside of a lab.

"Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence," said a Visa spokesperson. "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world."

The researchers told the BBC they first approached Apple and Visa with their concerns almost a year ago, but despite "useful" conversations, the problem has not yet been fixed. The researchers also tested Express Transit with Mastercard but found that the way its security works prevented the attack.

"It has some technical complexity," said Dr Andreea Radu, of the University of Birmingham, who led the research. "But I feel the rewards from doing the attack are quite high. In a few years these might become a real issue."

Dr Tom Chothia, also at the University of Birmingham, advised ‌iPhone‌ users to check if they have a Visa card set up to use Express Transit and if so, disable it. "There is no need for ‌Apple Pay‌ users to be in danger, but until Apple or Visa fix this they are," he said.

Related Roundup: Apple Pay

Popular Stories

Tim Cook Rainbow

Apple Event in October? Here's What to Expect

Monday September 29, 2025 9:31 am PDT by
Apple's annual iPhone event is in the rearview mirror, but rumors suggest the company plans to release a handful of additional products before the year ends. Will there be another Apple event this October? We discuss the possibility below. Apple in October Apple's most recent October events were in 2021 and 2023. In 2022 and 2024, Apple did not host an October event. Instead, it...
apple wallet drivers license feature iPhone 15 pro teal 1

Apple's iPhone Driver's License Feature Now Available in 11 U.S. States

Tuesday September 30, 2025 6:40 am PDT by
In select U.S. states, residents can add their driver's license or state ID to the Wallet app on the iPhone and Apple Watch, providing a convenient and contactless way to display proof of identity or age at select airports and businesses, and in select apps. Apple recently revealed that the feature would soon be available in North Dakota, and starting today, the feature has officially gone...
maxresdefault

New iPad Pro With M5 Chip Leaked in Unboxing Video

Tuesday September 30, 2025 8:39 am PDT by
An apparent unboxing video for an unannounced iPad Pro with the M5 chip was uploaded to YouTube today by Russian channel Wylsacom. The same YouTube account leaked the 14-inch MacBook Pro with the M4 chip before it was announced by Apple last year, so this is likely a legitimate leak. Based on the box shown in the video, this appears to be a 13-inch iPad Pro with an M5 chip, 256GB of...
space black mbp

Here's Every New Apple Product That Leaked Yesterday

Wednesday October 1, 2025 8:27 am PDT by
A handful of upcoming Apple products leaked yesterday, through a combination of YouTube videos out of Russia and U.S. Federal Communications Commission (FCC) documents that were released, despite Apple's confidentiality requests. The leaked products include an iPad Pro with an M5 chip, as well as updated MacBook Pro and Apple Vision Pro models. All of these devices had already been rumored...
fcc vision pro leak

FCC Accidentally Leaks Apple's Next Vision Pro

Tuesday September 30, 2025 3:48 pm PDT by
The United States Federal Communications Commission (FCC) has seemingly confirmed Apple's work on an updated version of the Vision Pro headset. One of several documents the FCC shared today references an Apple-designed "Head Mounted Device" with a model number of A3416. An included image confirms the device is a Vision Pro. The FCC's uploads are transmission tests, SAR test reports, and...
iOS 26

Apple Releases iOS 26.0.1 With Fixes for Wi-Fi, Cellular, and Camera Issues on iPhone 17 Models

Monday September 29, 2025 10:12 am PDT by
Apple today released iOS 26.0.1 and iPadOS 26.0.1, the first updates to the iOS 26 and iPadOS 26 operating systems that came out earlier this week. The new software can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. According to Apple's release notes for the update, iOS 26.0.1 addresses a bug that could cause aberrations in...
macbook pro prime day 2025

FCC Leaks Upcoming MacBook Pro and More

Tuesday September 30, 2025 1:58 pm PDT by
The United States Federal Communications Commission has confirmed Apple's work on a new version of the MacBook Pro and several other products, leaking details on the devices ahead of launch. The FCC published documents that reference model numbers that do not correspond with existing devices. A3434, for example, references an unreleased MacBook Pro, while other numbers are likely for...
Apple MacBook Pro M4 hero

New MacBook Pro Nears Mass Production, But Four Bigger Upgrades Expected Next Year

Sunday September 28, 2025 2:08 pm PDT by
Apple's next MacBook Pro models will enter mass production soon, according to the latest information shared by Bloomberg's Mark Gurman. In his Power On newsletter today, Gurman said he continues to believe the new MacBook Pro models will be released at some point between late 2025 and the first quarter of 2026, meaning they should be available to order by March at the latest. Apple often...
iOS 26

Apple Continues to Prepare iOS 26.0.1 With Multiple Bug Fixes Expected

Sunday September 28, 2025 1:30 pm PDT by
Apple is preparing to release iOS 26.0.1, according to a private account on X with a proven track record of sharing information about future iOS versions. The account initially said iOS 26.0.1 would have a build number of 23A350, but they now expect the update to have a build number of 23A355. This suggests that the software update will include more bug fixes or changes than initially...
Home Hub Command Center with Dome Base Feature

Apple Working on All-New Operating System

Thursday September 25, 2025 1:11 pm PDT by
Apple is developing an all-new operating system codenamed "Charismatic," according to Bloomberg's Mark Gurman. Apple smart home hub concept based on rumors This is likely Apple's long-rumored "homeOS" operating system. In a report last month, Gurman said both Apple's rumored smart home hub in 2026 and tabletop robot in 2027 will run the new operating system. He said the software platform ...

Top Rated Comments

canadianreader Avatar
52 months ago
"The researchers told the BBC they first approached Apple and Visa with their concerns almost a year ago, but despite "useful" conversations, the problem has not yet been fixed."

Rough week for Apple ?
Score: 27 Votes (Like | Disagree)
match14 Avatar
52 months ago
In the article on the BBC website, it said the researchers also tested this with a MasterCard but found its security prevented the attack.
Score: 18 Votes (Like | Disagree)
matrix07 Avatar
52 months ago

Apple Security has got infected with Jelly Roll
What's it got to do with Apple when this hack can do nothing on the same system with Master Card ?
Score: 12 Votes (Like | Disagree)
Richu Avatar
52 months ago
Tbh the consumers aren’t at risk since VISA covers eventual losses. There’s nothing to be upset about.

There’s a countless number of scams that can be run against VISA. that they do risk/reward calculations on different prevention systems.
- A lot of the time the scams aren’t profitable (or even doable) for the scammer to run at scale
- Other times it’s not profitable to prevent at scale, thus better to just absorb the cost and compensate the consumer
- Lastly, sometimes it makes sense to prevent the scam... A lot of we’ve never heard of because they’re already prevented
Score: 12 Votes (Like | Disagree)
matrix07 Avatar
52 months ago

Where’s the people who was telling everyone they only trust their credit card to Apple and non third parties?

The irony.
Re-read the article perhaps.
Score: 11 Votes (Like | Disagree)
Pezimak Avatar
52 months ago
I appreciate Visa defending here claiming it's not possible to do outside a lab and Apple seemingly just passing the blame and responsibility onto Visa, but organised gangs will find a way regardless if the exploit exists, bedsides I find it incredibly stupid to allow your phone to be used for payments of anything WITHOUT unlocking it in anyway.
I suggest they forget the convenience and activate some security. People will just have to unlock there phones, better safe then sorry as they say.
Score: 9 Votes (Like | Disagree)