They targeted Apple Pay’s Express Transit Mode, which allows payments without unlocking the iPhone

iOS
1

This kind of claim tends to get exaggerated in social media coverage, so it’s worth separating what’s technically possible in theory from what’s actually practical in real-world conditions.

:mobile_phone: What this is likely referring to

Modern iPhones have an NFC-based feature called Express Mode (Express Transit) within Apple Pay. It allows certain transit payments to work:

  • From a locked iPhone

  • Without Face ID / Touch ID

  • Using a pre-authorized card in a transit context

This is designed for speed at subway gates and buses, not general payments.

A linked Visa card can be part of Apple Pay, but it is still protected by Apple’s tokenization system and Secure Element hardware.

:brain: Why the “attack” is not simple

What’s being described (as highlighted in the Veritasium discussion) involves a scenario like:

  • An attacker tries to trigger NFC communication

  • Makes the phone behave as if it’s interacting with a transit terminal

  • Attempts to trigger a payment flow without unlocking the device

However, in practice:

1. You still need physical proximity

  • NFC range is extremely short (a few centimeters)

  • The attacker must be very close to the device

2. The iPhone uses Secure Element isolation

  • Card numbers are never exposed

  • Transactions use one-time cryptographic tokens

  • Payment authorization is sandboxed from the OS

3. Transit mode is tightly constrained

  • Express Mode only works for pre-approved transit cards / scenarios

  • It does not broadly allow arbitrary Visa payments just because NFC is active

:test_tube: What security researchers usually test

When similar demonstrations appear, they typically rely on:

  • Specialized NFC relay equipment

  • Carefully controlled lab conditions

  • Edge-case configurations (like enabled express transit cards)

Even then, most realistic attacks still require:

  • Close physical access to the device

  • Sometimes the phone being left unattended

:shield: Why real-world theft is still unlikely

For everyday users, several protections remain in place:

  • Payments normally require Face ID / Touch ID

  • Apple Pay uses device-specific encrypted tokens

  • Transactions are limited by time, context, and hardware checks

  • Lost Mode can disable payments immediately

:pushpin: Bottom line

There is no simple “tap a locked iPhone and drain a Visa card” exploit in normal conditions. What exists are highly constrained, proximity-based edge cases involving transit-style NFC behavior, not a general payment bypass that can be easily exploited at scale.

If you want, I can break down how Apple Pay tokenization actually works under the hood—it’s the part that prevents most NFC payment attacks from becoming real-world fraud tools.

What you’re describing is broadly based on a real class of NFC research attacks, but it’s important to separate a controlled academic proof-of-concept from something that can realistically drain someone’s phone in everyday life.

:test_tube: What the research actually is

The work from researchers at the University of Surrey and University of Birmingham (published in 2021-era NFC/payment security research) demonstrates a relay-style attack against contactless payment flows.

In simple terms:

  • An attacker does not “hack” the phone directly

  • They relay NFC communication between:

    • a victim’s phone

    • and a legitimate payment terminal

This is sometimes called a man-in-the-middle relay attack

:mobile_phone: Why the iPhone matters here

The scenario involves Express Transit / Express Mode on an iPhone, where:

  • A small subset of payments can be made while the phone is locked

  • This is designed for speed at transit gates

  • It bypasses Face ID/Touch ID only in that specific transit context

That design choice is what makes the experiment possible in a lab setting.

:credit_card: Where Visa fits in

The demonstration often uses Visa cards because:

  • Visa supports fast contactless authorization flows

  • Some transaction types can be validated quickly in transit-style systems

But importantly:

  • This is not a “Visa encryption break”

  • It is a relay abuse of an already-authorized payment session

:gear: Why it’s not a practical real-world scam

Even though demos (like the Veritasium-style recreation) show dramatic outcomes, real-world use is heavily constrained:

1. Physical constraints

  • NFC range is only a few centimeters

  • Requires very close and sustained proximity to the victim

2. Timing problem

  • Relay attacks must occur during a live transaction window

  • That window is extremely short and inconsistent

3. Device + card conditions

It only works under a narrow set of conditions:

  • Express Transit enabled

  • Compatible card type

  • Specific payment state active on the phone

4. Financial protections exist

  • Card networks (including Visa) provide zero-liability fraud protection

  • Transactions can be disputed and reversed

:brain: Key misunderstanding to avoid

This is not:

  • A remote hack

  • A way to “drain a locked iPhone anytime”

  • A general Apple Pay vulnerability

It is:

  • A niche relay attack on a specific payment mode

  • Demonstrated under controlled conditions

  • Already known to researchers and payment networks

:pushpin: Bottom line

The exploit is real in an academic sense, but it relies on a tight combination of timing, proximity, and configuration that makes large-scale or casual theft extremely unlikely. It highlights how contactless payment systems can be tricked in theory, not that everyday iPhone users are broadly exposed to wallet draining attacks.