Improbable Visa Loophole Allows Researchers to Bypass Apple Pay Security for $10,000

Researchers bypassed iPhone security to steal $10,000 using a Visa loophole. Learn why this Apple Pay Express Transit exploit is unlikely to affect you.

By: AXL Media

Published: Apr 16, 2026, 9:40 AM EDT

Source: Information for this report was sourced from AppleInsider

A Theoretical Heist in a Controlled Environment

The cybersecurity community has recently focused its attention on a sophisticated "man in the middle" attack that exposes a vulnerability in the intersection of Apple and Visa technologies. In a highly publicized demonstration, the educational channel Veritasium successfully extracted $10,000 from a locked iPhone belonging to tech reviewer Marques Brownlee. The exploit relies on intercepting the "handshake" between a mobile device and a payment terminal, effectively tricking the hardware into authorizing a massive transaction without the owner’s biometric consent. Despite the staggering dollar amount involved, security analysts note that the conditions required for this heist are so specific that they borders on the impossible for common street thieves.

The Role of Express Transit Mode

The core of the vulnerability lies in a feature known as Express Transit, which is designed to allow commuters to pay for fares by tapping their iPhone or Apple Watch without waking the device or using Face ID. This feature remains active even when the iPhone's battery is exhausted, providing a critical convenience for transit users. However, researchers discovered that by broadcasting specific "magic bytes" captured from actual transit gates, they could fool a locked iPhone into believing it was communicating with a subway turnstile. This unauthorized "wake up" signal allows a malicious reader to initiate a transaction that the phone’s security protocols would otherwise block.

Visa Protocol Flaws Under Scrutiny

While Apple and Visa have both been informed of the loophole, the responsibility for a fix remains a point of contention between the two giants. The exploit is notably exclusive to Visa cards, as Mastercard employs additional verification layers that prevent this specific type of relay attack. According to security researchers from the University of Birmingham, the issue persists because Visa’s protocol allows the bypass of contactless transaction limits when the system identifies the reader as a transit terminal. Despite the clear security risk, Visa has reportedly maintained that the cost of implementing a global protocol patch outweighs the actual risk of fraud, given the physical proximity and specialized hardware required to execute the attack.