What makes this more unsettling is that the vulnerability was not discovered in 2026. It was disclosed to Apple in October 2020 and to Visa in May 2021. Five years later, neither company has pushed a software fix. The attack that Veritasium demonstrated is the same attack researchers documented half a decade ago, still working, still unpatched, still exploitable on any iPhone with a Visa card configured in Express Transit mode.
This post breaks down exactly how the attack works at a technical level, why it exists, why it has not been fixed, what the real-world risk looks like, and what you can do about it right now.
Discovered: 2020–2021 by researchers at University of Surrey and University of Birmingham
Demonstrated publicly: Veritasium, April 2026 — $10,000 stolen from MKBHD's locked iPhone
Affected devices: iPhones with Visa card configured in Express Transit mode
NOT affected: Mastercard, American Express, Samsung Pay, Google Pay
Current status: Unpatched. Neither Apple nor Visa has issued a software fix.
Visa's protection: Zero Liability Policy covers fraudulent transactions after dispute
The Research Behind It — Meet the People Who Found This
This is not the work of anonymous hackers or underground forums. The attack was formally researched and documented by academic security teams: Andreea-Ina Radu and Professor Tom Chothia at the University of Birmingham, and Professor Ioana Boureanu, Christopher J.P. Newton, and Liqun Chen at the University of Surrey. Their full paper — titled Practical EMV Relay Protection — was presented at the 43rd IEEE Symposium on Security and Privacy in 2022, one of the most prestigious academic venues in the field.
They disclosed the vulnerability to Apple in October 2020 and to Visa in May 2021. Both companies acknowledged its seriousness. Neither fixed it. As the researchers stated publicly: "Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely."
That quote — from a peer-reviewed IEEE paper — is the most important sentence in this entire story. It is not a software bug waiting for a patch cycle. It is a responsibility gap between two trillion-dollar companies, and users are caught in the middle.
Understanding NFC and Why Proximity Does Not Mean Trust
Near Field Communication (NFC) is a short-range wireless protocol that operates at 13.56 MHz and is designed to work over distances of approximately 4 centimetres. It is the technology powering contactless payments — tap your phone or card against a reader, and a transaction completes in milliseconds.
The foundational security assumption of NFC is that physical proximity equals trust. If your device is communicating with a reader, it must be close to that reader, and therefore you as the user must be present and intending to pay. This assumption is reasonable for face-to-face retail transactions. It becomes a dangerous fiction when relay attacks are introduced.
A relay attack extends the effective range of NFC communication across any distance by using two devices that forward messages between the card and the reader in real time. The card thinks it is talking to a nearby reader. The reader thinks it is talking to a nearby card. Neither is aware that both ends of the conversation are actually being proxied through an attacker's infrastructure. Physical proximity — the entire security foundation of contactless payment — is completely bypassed.
Express Transit Mode — Convenience as an Attack Surface
Apple introduced Express Transit mode in May 2019 to solve a genuine user experience problem. Transit gates at subway stations and bus barriers have strict time requirements — a gate needs to validate and open within a fraction of a second. Requiring Face ID or a passcode for every tap is too slow for this use case.
The solution was to designate a specific card as a transit card that could transact without authentication. When the iPhone detects what it believes is a transit terminal, it processes the payment silently, without waking the screen, without requesting biometrics, and without showing a payment confirmation. Tap, pay, go.
The mechanism that identifies a transit terminal is a specific non-standard sequence of bytes — sometimes called "magic bytes" — that precedes the standard ISO 14443-A WakeUp command. When the iPhone's NFC stack sees this specific byte sequence, it switches into Express Transit mode and bypasses all authentication requirements. This magic byte sequence is the first thing an attacker needs to replicate.
As the researchers put it: "If a nonstandard sequence of bytes precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this a transaction with a transport EMV reader." Those bytes are not secret. They can be captured from any legitimate transit reader and replayed by an attacker's device indefinitely.
The Hardware Setup — What the Attack Actually Requires
The Veritasium video shows the equipment openly. Understanding it demystifies both the threat and its limitations.
The core device is a Proxmark — a specialized NFC research tool originally designed for security professionals and penetration testers. It can act as both a card reader emulator and a card emulator, intercepting and replaying NFC communications. The Proxmark is connected via USB to a laptop, which serves as the relay bridge.
The second device is an NFC-enabled Android phone acting as a card emulator — the end that communicates with the payment terminal. The Proxmark communicates with the victim's iPhone, and the laptop relays those messages over WiFi to the Android phone, which presents itself to a real payment terminal as if it were the victim's Visa card.
In the Veritasium demonstration, the Proxmark was tuned to broadcast the magic bytes that identify it as a transit terminal. When brought close to Brownlee's iPhone — without the phone being unlocked, without any screen interaction — the iPhone entered Express Transit mode and began responding to payment protocol messages. Those messages were forwarded through the laptop to the Android phone, which tapped against a legitimate card reader and completed a $10,000 transaction.
The entire attack chain looks like this: attacker's NFC emulator broadcasts transit magic bytes → victim's iPhone responds in Express Transit mode → messages relayed over WiFi to Android phone → Android taps real payment terminal → terminal charges Visa card → transaction completes. No unlock. No Face ID. No user awareness.
The CTQ Bit Flip — How Transaction Limits Get Bypassed
Contactless payments normally have a transaction limit — in the UK it is £100, in India it is around ₹5,000 — designed specifically to limit fraud exposure. A key technical question is: how does a $10,000 transaction clear without triggering this limit?
The answer is a two-bit manipulation in the transaction data stream. During an EMV transaction, the iPhone transmits a data structure called the Card Transaction Qualifiers (CTQ). This structure contains a bit flag for what is called Consumer Device Cardholder Verification Method (CD-CVM) — a flag that tells the payment terminal whether on-device authentication has been performed (fingerprint, Face ID, PIN).
When this bit is set to 1, the terminal interprets it as confirmation that the user has authenticated on the device and approved the transaction. Contactless payment limits are tied to whether this flag is set — if authentication is confirmed, the limit does not apply. The attacker's relay device intercepts the CTQ data from the iPhone and flips this bit before forwarding it to the terminal, telling the terminal that authentication has been completed on the device. It has not. The iPhone has done nothing. But the terminal believes the user has authorized the payment, and processes it for any amount.
The researchers noted that the CTQ value appears in two messages transmitted by the iPhone and must be modified in both instances for the attack to work — a detail that reveals just how precisely engineered this exploit is. This is not a blunt attack. It is surgical manipulation of a specific two-bit flag in a specific field in a specific protocol message.
Why Only Visa? Why Not Mastercard or Amex?
This is one of the most important technical distinctions in the entire attack and it is not accidental. Mastercard and American Express both require an additional cryptographic verification step during the transaction that Visa does not always enforce when the terminal is online. Specifically, Mastercard runs a signature-based verification that cannot be spoofed without access to the card's private key. This check occurs regardless of what the CTQ flags say.
Visa's protocol, in certain transaction contexts — particularly those flagged as transit transactions — does not enforce this additional check at the terminal level. The CTQ flag manipulation is sufficient to authorize the transaction. This is the Visa-specific protocol gap that the researchers identified and that Apple attributed the vulnerability to when speaking to Veritasium.
Samsung Pay on Android is also immune to this specific attack. Samsung devices check the actual transaction amount before allowing authentication bypass for transit payments. If the amount exceeds a defined threshold, authentication is required regardless of the terminal type. Apple's implementation does not perform this check — it trusts the terminal's identification as a transit system and processes accordingly.
The Accountability Standoff — Five Years of Finger-Pointing
The most significant aspect of this vulnerability is not the technical elegance of the exploit. It is the institutional failure that has left it unpatched for five years.
Apple's official position, delivered to Veritasium in 2026, is that the vulnerability is a concern connected to the Visa system. Apple argues that it is Visa's transaction processing that fails to reject the spoofed authentication flag, and therefore Visa is responsible for the fix.
Visa's official position is that the attack is unlikely to occur in the real world given the multiple layers of security in place, and that any fraudulent transactions are covered by Visa's zero liability policy — meaning the cardholder can dispute and recover the charge. Visa also argued the attack requires specialized hardware and significant technical expertise.
The researchers' formal analysis directly addressed this standoff. Their peer-reviewed paper demonstrated that either Apple or Visa could individually fix this vulnerability without requiring cooperation from the other. Apple could add an amount check before allowing Express Transit transactions, rejecting anything above transit fare thresholds. Visa could enforce the CD-CVM verification step at the network level, refusing to process transactions where the flag has been set without a corresponding cryptographic proof. Either fix would break the attack chain independently.
Neither has been implemented. The formal academic proof that each company has an independent path to a fix makes the inaction harder to justify, and the researchers' public statements about this accountability failure were pointed: the vulnerability "remains live" and users are left vulnerable "indefinitely" because neither party will accept the cost of the fix.
Ghost Tap and the Evolving NFC Threat Landscape
The Apple Pay / Visa vulnerability does not exist in isolation. It is part of a broader trend in NFC-based payment fraud that security researchers have been tracking through 2025 and into 2026.
Payment Village's 2025 research confirmed that NFC relay techniques have been weaponized beyond academic demonstrations. Researchers documented what they call Ghost Tap attacks — where stolen card data is loaded into mobile wallets on compromised devices, with transactions relayed via NFCGate malware. NFCGate is an open-source Android application originally designed for NFC research that has been repurposed by criminal actors to relay NFC communications between devices at arbitrary distances.
Modified point-of-sale terminals intercepting NFC data for offline transactions have been documented in organized fraud investigations across Europe. Phishing apps that trick users into scanning their physical payment cards under the guise of "verification" — capturing both NFC data and PINs — have appeared in multiple jurisdictions. The Apple Pay / Visa attack is a technically sophisticated version of a class of attack that is becoming more operationally common at the lower technical end of the spectrum.
What the Real-World Risk Actually Looks Like
Both Apple and Visa are technically correct when they say this specific attack is unlikely to affect most users. The equipment requirements, technical knowledge, and need for physical proximity to the victim's device make opportunistic mass exploitation impractical.
But "unlikely" is not the same as "impossible," and the risk profile is not uniform across all users. Targeted attacks — where a specific individual of known value is the objective — change the calculation entirely. An attacker with a specific target who can arrange proximity (in a meeting, at a conference, on public transport) and who has the technical knowledge to operate the relay setup faces no technical barrier. The attack works. The research confirms it works. The Veritasium demonstration confirms it works at $10,000.
The zero liability policy cited by Visa provides financial recovery after the fact but does not prevent the transaction. The process of disputing a fraudulent charge takes time, creates stress, and may temporarily impact cash flow. More importantly, relying on post-transaction dispute resolution as the primary security mechanism for a pre-transaction vulnerability is not a security posture — it is an insurance policy.
How to Check If You Are Affected Right Now
You have two options. The first is to remove the Visa card from the Express Transit slot entirely. Tap the card shown in the Express Transit section and select "None." This disables the attack surface completely. You will still be able to use Visa via Apple Pay for regular purchases — you will just need to authenticate with Face ID or Touch ID for each transaction, which is the standard behavior for non-transit payments.
The second option is to switch your Express Transit card to a Mastercard or American Express if you use transit regularly and want to retain the convenience feature. As documented by the researchers, this attack does not work against those networks due to their stronger transaction verification protocols.
Additional Protection Measures
Beyond the Express Transit setting, there are several additional measures worth implementing for anyone who uses contactless mobile payments regularly.
Enable transaction alerts from your bank for every contactless payment. Most banks and card issuers support instant push notifications for every transaction. A fraudulent NFC relay transaction would generate an immediate alert, allowing you to call your bank and freeze the card within minutes. This does not prevent the transaction but minimizes the window in which additional transactions could occur.
Review your Apple Wallet settings and remove any cards you do not actively use. Each additional card in your wallet is an additional potential attack surface — not for this specific exploit, but for the broader category of NFC fraud that targets mobile wallets.
Be aware of your phone's physical proximity in high-density environments. Crowded public transport, conference halls, and queued environments are the theoretical ideal conditions for a proximity-dependent attack. This does not mean you need to be paranoid, but awareness of your environment is a basic operational security habit that costs nothing.
If you are a high-value target — an executive, a security researcher, a journalist, or anyone with elevated exposure to targeted attacks — consider disabling Express Transit entirely rather than simply switching to a non-Visa card, as NFC attack techniques continue to evolve beyond the specific Apple-Visa vector.
The Deeper Security Lesson
The Apple Pay / Visa vulnerability teaches something important about how modern security failures actually happen. It is tempting to frame this as a story about a clever technical exploit. But the five-year unpatched status reveals the real issue: security failures in complex systems are usually not technical problems. They are organizational and economic problems.
Apple designed Express Transit to optimize for speed. Visa designed its transit processing to minimize friction. Both optimizations were legitimate product decisions that made sense independently. The vulnerability exists in the intersection — the gap between two systems that each assumed the other would enforce security constraints that neither actually enforced.
When the researchers formally proved that either company could fix it independently, and neither did, the message became clear. The cost of implementing the fix — engineering resources, testing, potential performance impact on transit payment speed — is not being borne because the financial cost of fraud is distributed across cardholders and absorbed by the zero liability policy. When losses are socialized and the fix cost is private, the incentive to fix is weaker than it should be.
Your phone being locked does not mean it is not communicating with the world. It communicates through NFC, through Bluetooth, through push notification infrastructure, through background app refresh, and through a dozen other channels that operate entirely independently of whether your screen is on or your biometrics have been verified. Security at the screen lock is real. Security at the wireless communication layer is a separate question with a separate answer — and as this research shows, the answer is not always reassuring.
