Byte-size Bulletins

Apple Pay flaw allows hackers to drain money from a locked iPhone

Written by Rachael Brown | Oct 1, 2021

A major flaw in iPhone’s Apple Pay service could be exploited to steal money by taking advantage of its ‘Express Travel’ mode of contactless payment.

Typically, users must confirm a transaction using a passcode, fingerprint or facial recognition to prevent stolen or lost iPhones from being used for purchases. 


But with Express Travel mode, which has been designed for use on public transport including London’s Oyster network and First Bus system, this authentication isn't required. Users simply tap their phones against a terminal and payment will be issued.

Because of this according to researchers at the Universities of Birmingham and Surrey, hackers could drain money from iPhones with Express Travel Mode enabled by imitating the signal of a public transport terminal.

The researchers, who were able to make a £1,000 payment using a locked phone, proved the signal will trick the iPhone into accepting a transaction.

Because there is no limit on Apple Pay transactions, unlike contactless cards which cap payments at £45, hackers could in theory drain a person’s entire bank account or their credit card limit by just stealing an iPhone.

It’s important to note that this flaw only works with Visa cards on the Apple Pay service. Mastercard or American Express cards have an extra authentication process that blocks such payments.

And Samsung phones, which have a similar public transport payment service do not have this flaw, not even when working with Visa cards.

If you have a Visa card activated on your Apple Pay, don’t panic! Express Travel is an opt-in feature of the service that cant be activated without your consent. If you do have it activated, this research may make you rethink if the convenience of the feature outweighs its potentially catastrophic risks.

Ioana Boureanu from the University of Surrey's Centre for Cyber Security Stated that "Apple Pay users should not have to trade-off security for usability, but at the moment some of them do"

What this flaw truly demonstrates is the importance of multi-factor authentication. In instances where a hacker has your phone and you have Apple Pay enabled, it provides a lasting critical layer of security that prevents them from accessing your private data and money.

Visa has commented in a statement that this research shouldn't be seen as highlighting a major risk since contactless fraud schemes have “proven to be impractical to execute at scale in the real world.” Despite this, the mere fact alone this form of fraud can be executed is alarming, and many argue Visa is going to downplay the risks to not alarm their customers.

Express travel is arguably not a necessary feature, considering that using fingerprint recognition as your form of multi-factor authentication only takes a few seconds. It’s the ultimate embodiment of putting convenience above security, and as scammers become more sophisticated we are likely to see more issues emerge related to this contactless flaw.

While using multi-factor authentication may increase your time tapping out of the tube, that time is well worth the massive increase in security it provides, considering we store so much personal data from banking to logins on our phones.

Photo by CardMapr on Unsplash