A recent demonstration conducted by security researchers has highlighted a critical vulnerability in how Visa facilitates contactless payments on locked iPhones, potentially enabling unauthorized transactions of significant value. The experiment, which involved noted tech YouTuber Marques Brownlee (known as MKBHD), showed how $10,000 could be stolen through this exploit without the phone being unlocked.

The team behind this demonstration includes professors and researchers from the University of Surrey and the University of Birmingham. The research builds on initial groundwork laid by Dr. Andreea-Ina Radu, who collected data on public transport systems as part of the TimeTrust project (2019–2023). Their findings emphasize how attackers could take advantage of a specific Visa functionality that was designed for convenience but may also bypass essential security protocols.

How the Hack Works

The vulnerability lies in Visa’s implementation of the "transit mode" feature, which allows payments to be processed quickly at public transport terminals without requiring the user to unlock their device. While this mechanism is convenient for commuters, it appears attackers can exploit the feature to trick the iPhone’s payment system into authorizing unexpected high-value transactions.

Using specialized equipment, the researchers demonstrated how the payment terminal could be manipulated into initiating and approving an unauthorized transaction. Technical details of this method involve bypassing the typical encryption checks, such as RSA encryption, that are designed to protect payment data during contactless transactions. While the general mechanics were explained, the exact tools and processes used were not fully disclosed to avoid misuse.

Why Is Visa Targeted?

The researchers noted that this exploit seems specific to Visa’s payment interface. Other payment systems, such as Mastercard, reportedly incorporate additional safeguards that appear to make them less vulnerable to this attack. This specificity raises questions about differences in security design across payment networks.

Implications for Users

For most iPhone users, scenarios like this underline the risks inherent in prioritizing convenience over security. While transit mode ensures seamless access in high-speed environments like subway turnstiles, it does so by relaxing certain authentication requirements. This tradeoff could expose users to unauthorized transactions if attackers gain proximity to their devices.

Preventing the Exploit

The demonstration also discusses methods to mitigate potential risks. Users could disable contactless transactions entirely via their iPhone settings, though this may not be ideal for all. Visa is reportedly investigating the issue and exploring potential fixes.

A Coordinated Effort in Research

The hack would not have been possible without insights provided by experts in cryptography and payment systems. Professors Ioana Boureanu and Tom Chothia lent their expertise to analyze how Visa’s protocol allows this loophole, and the University of Surrey provided its facilities to conduct the demonstration. Meanwhile, MKBHD and his team graciously lent their support as "victims" to test the exploit, offering a unique real-world demonstration of this security issue.

What’s Next?

The researchers and their partners emphasize that this exploit is not a reflection of inherent flaws in iPhone hardware or its overarching security framework. Instead, it highlights the importance of standardized security measures across payment providers. Visa has yet to announce a definitive plan for mitigation, but ongoing industry discussions will likely focus on better integrating security protocols within high-speed payment environments.

This experiment is a cautionary tale about balancing user convenience with device and data security. Locked phones are often assumed to be impervious to external interference, but this demonstration serves as a reminder that vulnerabilities can exist even within secure ecosystems. For now, users relying on Visa for contactless payments may want to review their settings and remain vigilant against risks inherent in cutting-edge technology.