How a Locked iPhone Tap Payment Hack Lets $10,000 Slip Out: Veritasium and MKBHD Demo

Overview

In this collaboration between Veritasium and MKBHD, a locked iPhone is tested against an NFC based payment attack that reveals how transit mode can be abused to bypass device locks and authorize large card payments.

Key insights

• Three lies are used to bypass security: unlocking, classifying a high value as low value, and convincing the reader a customer verified the payment.
• The attack relies on a man in the middle setup using an NFC reader bridge, a Proxmark device, and a burner phone to spoof transit terminals.
• Visa’s network and Apple’s Express Transit mode create a unique, country dependent interplay that makes certain large transactions possible without user verification in some scenarios.
• Defenses exist but are not foolproof; industry responses emphasize refunds, user awareness, and the need for stronger cryptographic checks.

Introduction and Setup

The video documents a live demo where Veritasium and Marques Brownlee (MKBHD) attempt to extract money from Marques's iPhone while it remains locked. The setup centers on an ordinary payment terminal and a chain of devices that intercept and modify contactless transaction data. For small payments, the duo demonstrate a $5 charge; for a dramatic test they push the system to a $10,000 transaction. The key takeaway is that, under certain conditions, a locked iPhone can be coerced into authorizing a payment without the user unlocking the device or providing verification.

How the Hack Works: The Three Lies

The heart of the demonstration rests on three deliberate misrepresentations or lies inserted into the transaction flow, each designed to bypass a different layer of defense.

• Lie 1: Bypass the lock via transit mode Apple’s Express Transit mode lets transit payments proceed without unlocking the phone. By spoofing a transit terminal, the phone is led to treat the tap as a transit transaction rather than a standard card-present payment, effectively bypassing the lock screen guardrails.
• Lie 2: Convert a high value into a low value Contactless payments categorize transactions as high value or low value based on a single binary flag in the transaction data. The attackers flip the flag so a $10,000 request is treated as a low value one, removing the need for customer authentication.
• Lie 3: Make the bank believe the customer verified The system must still satisfy bank checks. The attackers intercept the phone’s response and flip a verification bit so the reader sees that customer verification occurred, which the bank then accepts as legitimate.

Technical Chain and Practical Details

The demonstration relies on a classic man in the middle attack. The Proxmark device acts as a fake card reader, the Proxmark’s data are forwarded to a laptop running a Python script that alters the transaction data, which is then sent to a burner phone attached to a real card reader. To the merchant terminal, Marques’s phone appears to be a valid transit card, and to the bank, the altered data appear legitimate. A central point is that the information exchanged during such taps is often unencrypted or only loosely protected to maintain compatibility with thousands of devices, which the video argues creates exploitable gaps.

Why This Hack Works in This Context

The attackers emphasize that the vulnerability relies on the unique combination of an iPhone and a Visa transit card with Express Transit mode. In transit mode, the reader broadcasts a code that tells the phone to pay without unlocking. The attackers used a London Underground scenario to illustrate the attack in a real-world environment, and they show how the system uses a simplified one-bit decision boundary to decide high vs. low value transactions, which is crucial for enabling low-friction fraud at scale in certain geographies and with certain card networks.

Visa vs Mastercard and Asymmetric vs Symmetric Crypto

The video explains why the hack is possible with Visa but would be thwarted by Mastercard in typical retail scenarios. In general payments rely on symmetric cryptography (shared secret keys) for the card-bank link, but Mastercard also employs an additional asymmetric layer between the card and the reader. Visa, in this specific context, does not always mandate this asymmetric signature in transit mode, particularly when the reader is online. The attackers demonstrate that by keeping the reader online during the attack, the asymmetric security can be bypassed, and the bank-side checks depend on the manipulated data and flags rather than real verification by the user.

Security Responses and Implications

The video reports on responses from Apple and Visa. Apple declined an interview, while Visa contends that the vulnerability is unlikely to be exploited at scale and emphasizes Visa’s zero liability policy. The presenters argue that even if refunds are offered after the fact, a real-world fraud event could cause significant stress and financial risk for everyday users. They discuss the need for better end-user protections and for industry-wide changes to reduce reliance on user verification in transit-like taps and to tighten cryptographic checks, especially for high-value transactions.

Real-World Scenarios and Risk Management

The presenters illustrate how easily a stolen iPhone could be used to withdraw substantial sums and discuss possible mitigations, including turning transit mode off or removing the card from Express Transit by default and limiting default settings to reduce automatic risk. They point to data protection and fraud mitigation as ongoing challenges that require both technical and policy-level solutions. The video ends with a note on ongoing concerns, a call for better protections, and a nod to the creator’s ongoing work and Webby nominations.

Ethical Considerations and Education

Throughout the piece, the presenters emphasize responsible disclosure and a careful balance between exposing a vulnerability and enabling misuse. The aim is to inform users and policymakers about where the gaps lie and to motivate the adoption of stronger cryptographic safeguards, improved monitoring, and user-side controls that can prevent or rapidly detect unauthorized transactions.