Apple Pay has established itself as the leading digital payment method globally, boasting around 785 million users. It enables transactions both online and in physical stores, representing 14.2% of all online payments. While user adoption is projected to grow until 2030, a pressing question arises: can users really trust it? Alarming new findings suggest that Apple Pay has been susceptible to fraudulent activities, with a critical vulnerability remaining unaddressed for five years.
The Apple Pay Heist
In mid-April, well-known tech YouTuber Marques Brownlee (MKBHD) collaborated with Veritasium researchers to test this vulnerability. Their aim? To drain $10,000 from Marquez’s Apple Pay account without needing any password or Face ID verification.
This entire operation was completed in under 10 seconds.
The theft unfolded using just a MacBook, a burner phone, a specialized NFC reader called Proxmark, and Marquez’s locked iPhone. It seemed almost impossible, given Apple’s reputed security protocols. Yet, the demonstration made by Veritasium showed that what seemed improbable was indeed executable. They successfully transferred $10,000 from Marquez’s iPhone to their own account, leaving MKBHD visibly shocked.
Executing the Heist
In the video, Veritasium elaborates on how this method functions.
To begin, the target iPhone has to be positioned on the Proxmark reader, which impersonates an ordinary card reader. The Proxmark tricks the iPhone into believing it’s communicating with a standard card reader and requests a specific amount—$10,000, in this scenario. The iPhone complies and forwards the transaction data to the connected MacBook. This information is then sent to the burner phone, which acts as the recipient. Notably, Apple’s Express Mode allows transactions without user authentication. Once completed, the funds are taken from the target iPhone and directed to the hacker.
Despite the various steps involved, the operation still wraps up in less time than it would take to make a regular payment using Apple Pay in stores.
The truly concerning aspect? This weakness was initially identified back in 2021, yet no solutions have been implemented. Every iPhone equipped with Apple Pay may be at risk for such a heist, potentially allowing the theft of an entire primary card’s debit or credit limit.
Assessing Your Risk
Understanding your vulnerability to NFC-related theft involves a few critical components.
First off, it’s important to know that this exploit only affects Apple Pay. If you’re an Android user, you’re in the clear. Google Pay and Samsung Pay remain unaffected by this flaw.
For iPhone users, the risk additionally depends on the type of default card set in the Wallet app. The attack relies on having Visa as your primary card; it won’t work if Mastercard is the default.
Protecting Yourself from Apple Pay Vulnerabilities
To change your default card, simply open the Wallet app, tap and hold the card you wish to reset, and drag it to the bottom until it becomes visible. To delete a card, select it, click the three dots in the upper right corner, and choose “Delete Card” at the bottom of the screen.
This bug has persisted for quite a while—about six months now. It seems unlikely Apple will issue a fix anytime soon. Nevertheless, with MKBHD’s high-profile exposure of this vulnerability, there’s hope it might grab Apple’s attention for a remedy in the future.
In the meantime, adjusting your default card settings or removing your card entirely could offer some level of protection.
