The $10,000 Pocket Pick: How Hackers Can Drain Your iPhone Without Unlocking It

A disconcerting narrative regarding the iPhone and the surreptitious theft of funds from a locked device has once again ignited trepidation across the digital landscape. Superficially, the stratagem manifests as an exquisite nightmare: a smartphone remains sequestered in one’s pocket, its display securely locked, while an adversary successfully debits a substantial sum from the tethered card. Though the premise is sensational, the reality is decidedly more prosaic. This assault has been documented for several years; it necessitates physical proximity, specialized apparatus, and a confluence of improbable variables, preventing it from metastasizing into a ubiquitous threat.

This renewed surge of scrutiny was catalyzed by a Veritasium feature, wherein the mechanics of the assault were meticulously deconstructed. The issue is not a “vulnerability within the iPhone” in the conventional sense, but rather a byproduct of the operational architecture of the Visa payment infrastructure. The demonstrated scheme does not extend to Mastercard or American Express, nor should Samsung aficionados be concerned, as Samsung Pay remains impervious to this specific methodology.

The crux of the assault lies in the Express Transit mode, which facilitates transit fare payments without requiring device authentication. For the sake of expediency, the iPhone is engineered to exchange payment telemetry with a terminal instantaneously, bypassing Face ID or passcode requirements. Researchers demonstrated that a fraudulent NFC reader can masquerade as a transit terminal, capture the iPhone’s data, and transmit it via a relay consisting of a secondary smartphone and a laptop. Initially, the transaction mirrors a standard transit payment, but the adversaries append supplementary data to circumvent transaction limits. Subsequently, the second smartphone is presented to a legitimate point-of-sale terminal, and the operation concludes as a verified purchase.

The Veritasium demonstration is particularly striking, depicting a $10,000 withdrawal from the device of Marques Brownlee. The architects of this method, researchers Ioana Boureanu and Tom Chothia from the University of Surrey and University of Birmingham, respectively, identified this flawed logic by recording data exchanges at transit terminals—similar to those found in the London Underground—and subsequently manipulating the captured signals.

Despite its theatricality, the scenario remains exceptionally cumbersome for a criminal to execute. It demands physical access to the device, a sophisticated technical ensemble, and precise environmental conditions for data transmission. Mass-deploying fraudulent readers within subway turnstiles is virtually impossible, as transit operators maintain rigorous oversight of such infrastructure. While a malicious actor could theoretically bypass a pedestrian and bring a fraudulent reader near their pocket, such an encounter would require exacting precision and extensive preparation.

A more tangible concern arises in the event of the iPhone’s physical theft. A stolen, locked smartphone, when paired with the requisite equipment, affords a criminal significantly more latitude for exploitation. Consequently, while panic is unwarranted, fundamental precautionary measures are advisable.

The most straightforward mitigation is to deactivate Express Transit. While the feature is convenient and generally secure, the associated risk can be minimized through its disablement. Alternatively, one might retain the rapid transit access but designate a non-Visa card for the Express Transit functionality—a recommendation echoed by both the primary researchers and industry analysts. Many iPhone owners may be oblivious to the fact that this mode is active, as it is frequently enabled by default upon the addition of a compatible card to the Apple Wallet.

As reported by Veritasium, Visa maintains that such an assault is highly improbable on a global scale and reminds users that contentious transactions remain contestable. The quintessential takeaway is clear: this is not a broad-spectrum, remote compromise of the iPhone. Nonetheless, Visa cardholders utilizing Apple Wallet would be well-served to review their Express Transit settings and determine the necessity of the feature. Caution, rather than hysteria, remains the most effective defense.