Security Experts Warn of Apple Pay Express Transit Hack That Enables Large Unauthorized Visa Payments From Locked iPhones - MacRumors
Skip to Content

Security Experts Warn of Apple Pay Express Transit Hack That Enables Large Unauthorized Visa Payments From Locked iPhones

Researchers in the U.K. have demonstrated how large unauthorized contactless payments can be made on locked iPhones by exploiting Apple Pay's Express Transit feature when set up with Visa.

apple pay express transit london
Express Transit is an ‌Apple Pay‌ feature that allows for tap-and-go payment at ticket barriers, eliminating the need to authenticate with Face ID, Touch ID, or a passcode. The device does not need to be wakened or unlocked to use Express Transit.

Computer Science researchers from Birmingham and Surrey Universities demonstrated to the BBC how the attack works by exploiting a weakness in the Visa contactless system through the use of a small piece of commercially available radio equipment, which is placed near the phone and masquerades as a ticket barrier.

An Android phone running an app developed by the researchers is used to relay signals from the iPhone to a contactless payment terminal and modifies the communications to fool the terminal into acting as if the iPhone has been unlocked and a payment authorized.

In demonstrating the attack, researchers made a contactless Visa payment of £1,000 from a locked iPhone. The scientists only took money from their own accounts. The researchers said the Android phone and payment terminal used don't need to be near the victim's iPhone as long as there's an internet connection.

Apple told the BBC the matter was an issue with the Visa system.

"We take any threat to users' security very seriously," said Apple. "This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy."

The researchers said the attack might be easiest to deploy against a stolen iPhone, although there's no evidence that the hack has been used in the wild. Visa said payments were secure and attacks of this type were impractical outside of a lab.

"Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence," said a Visa spokesperson. "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world."

The researchers told the BBC they first approached Apple and Visa with their concerns almost a year ago, but despite "useful" conversations, the problem has not yet been fixed. The researchers also tested Express Transit with Mastercard but found that the way its security works prevented the attack.

"It has some technical complexity," said Dr Andreea Radu, of the University of Birmingham, who led the research. "But I feel the rewards from doing the attack are quite high. In a few years these might become a real issue."

Dr Tom Chothia, also at the University of Birmingham, advised iPhone users to check if they have a Visa card set up to use Express Transit and if so, disable it. "There is no need for ‌Apple Pay‌ users to be in danger, but until Apple or Visa fix this they are," he said.

Related Roundup: Apple Pay

Popular Stories

American Express Gold Apple Pay Feature

American Express Announces New Apple Pay Feature

Tuesday June 30, 2026 10:27 am PDT by
American Express today announced that you can now redeem Membership Rewards points when checking out with Apple Pay on the web and in apps on the iPhone and iPad. When checking out with Apple Pay on iOS 18 or iPadOS 18 or later, tap on your eligible American Express card (Platinum, Gold, Green, and others) and select the Membership Rewards points option. You can use points to cover all or...
Apple TV Thumb 3

Everything Coming in the 2026 Apple TV 4K

Wednesday July 8, 2026 4:51 pm PDT by
The Apple TV 4K hasn't been updated since 2022, and it's due for a refresh. An update is planned for 2026, but Apple is likely going to wait to launch it after Siri AI launches in iOS 27. Design Apple TV design updates don't happen often, and that's not changing. The next Apple TV is going to have the same squircle shape as the current model, and it'll continue to be made from a black...
iphone 16 teal

'Siri AI' Lawsuit Update: Apple to Pay Owners of These iPhone Models

Thursday July 9, 2026 7:08 am PDT by
In May, Apple agreed to pay $250 million to settle a U.S. class action lawsuit over Siri AI's delayed launch, and eligible iPhone users could receive up to a $95 payout. This week, the California court overseeing the case held a hearing regarding preliminary approval of the settlement, but the judge has not yet issued a ruling. It will likely be at least a few more months before eligible...

Top Rated Comments

canadianreader Avatar
62 months ago
"The researchers told the BBC they first approached Apple and Visa with their concerns almost a year ago, but despite "useful" conversations, the problem has not yet been fixed."

Rough week for Apple 😆
Score: 27 Votes (Like | Disagree)
match14 Avatar
62 months ago
In the article on the BBC website, it said the researchers also tested this with a MasterCard but found its security prevented the attack.
Score: 18 Votes (Like | Disagree)
matrix07 Avatar
62 months ago

Apple Security has got infected with Jelly Roll
What's it got to do with Apple when this hack can do nothing on the same system with Master Card ?
Score: 12 Votes (Like | Disagree)
62 months ago
Tbh the consumers aren’t at risk since VISA covers eventual losses. There’s nothing to be upset about.

There’s a countless number of scams that can be run against VISA. that they do risk/reward calculations on different prevention systems.
- A lot of the time the scams aren’t profitable (or even doable) for the scammer to run at scale
- Other times it’s not profitable to prevent at scale, thus better to just absorb the cost and compensate the consumer
- Lastly, sometimes it makes sense to prevent the scam... A lot of we’ve never heard of because they’re already prevented
Score: 12 Votes (Like | Disagree)
matrix07 Avatar
62 months ago

Where’s the people who was telling everyone they only trust their credit card to Apple and non third parties?

The irony.
Re-read the article perhaps.
Score: 11 Votes (Like | Disagree)
MathersMahmood Avatar
62 months ago
Lord have mercy are we in a branch reality or are we all dreaming here. It's one thing after another.
Score: 9 Votes (Like | Disagree)