Persistent Visa Payment Vulnerability Allows Funds To Be Drained From Locked iPhones Via Transit Mode
Learn how a specific Visa exploit allows thieves to drain funds from a locked iPhone using Express Transit mode and how to secure your Apple Wallet.
By: AXL Media
Published: Apr 16, 2026, 9:41 AM EDT
Source: Information for this report was sourced from Yahoo Tech
The Technical Mechanics of the Express Transit Security Bypass
A specialized iPhone exploit is drawing renewed attention for its ability to extract unlimited funds from a mobile wallet, even when the device remains securely locked. The vulnerability leverages Apple’s Express Transit mode, a feature designed to facilitate rapid tap-and-go payments at subway turnstiles and bus readers without biometric authentication. According to David Phelan, the exploit tricks the hardware into misidentifying a high-value fraudulent transaction as a routine low-cost transit fare, effectively opening a backdoor to the user’s linked bank account.
Relay Attacks and the Role of Sophisticated Fraudulent Equipment
The execution of this theft requires a complex physical setup involving a laptop, an NFC card reader, and a secondary mobile device. In a demonstration validated by researchers from the University of Surrey and the University of Birmingham, payment data is captured from a locked iPhone and transmitted to a laptop. This data is then modified with security-dodging code before being relayed to a second phone, which completes the transaction at a standard retail terminal. The effectiveness of this method was highlighted in a recent video where a $10,000 withdrawal was successfully processed from a single device.
Network Specificity and the Immunity of Competing Payment Systems
While the threat is technically significant, it is notably restricted by the type of payment network used within the Apple Wallet. Investigations confirm that this is not an inherent flaw in Apple’s hardware but rather a specific issue with Visa’s processing protocols for transit transactions. Users who utilize Mastercard or American Express are currently unaffected by this specific loophole. Furthermore, the exploit is non-functional on Samsung Pay, leaving users of the rival manufacturer’s ecosystem in the clear regarding this particular relay threat.
Categories
Topics
Related Coverage
- NFC Security Breach In Birmingham Demonstration Exposes Ten Thousand Dollar Visa Vulnerability On Locked iPhones
- Researchers Demonstrate $10,000 Apple Pay Vulnerability Exploiting iPhone Express Transit Mode
- Persistent iPhone Security Loophole Allows Unauthorized Ten Thousand Dollar Visa Payments In Controlled Settings
- Improbable Visa Loophole Allows Researchers to Bypass Apple Pay Security for $10,000