A Known NFC Flaw Drained $10,000 From a Locked iPhone — Unfixed for 5 Years
Researchers demonstrated live that Apple's Express Transit mode lets attackers charge any amount to a locked, screen-off iPhone using basic NFC hardware.
A five-year-old NFC relay attack lets anyone charge unlimited amounts to a locked iPhone via Apple's Express Transit feature, with neither Apple nor Visa having shipped a fix.
- — Researchers used a Proxmark reader, laptop, and Android phone to relay $10,000 from a locked iPhone.
- — No passcode, Face ID, or screen interaction was required during the transaction.
- — The vulnerability was first disclosed in 2021 and presented at IEEE Security & Privacy in 2022.
- — Express Transit skips amount verification to achieve sub-second transit gate response times.
- — Attackers spoof 'magic bytes' that identify a transit terminal, tricking the Secure Element.
- — The flaw affects only Visa cards; Mastercard, Amex, and Discover are not vulnerable.
- — Apple blames Visa; Visa calls the attack unlikely and cites zero-liability refund policy.
- — No confirmed real-world exploitation exists, but the attack requires sustained physical proximity.
Astrobobo tool mapping
- Knowledge Capture Log the trust-boundary violation pattern from this case — specifically, that skipping server-side amount verification for UX speed creates an exploitable assumption — as a reusable engineering anti-pattern note.
- Reading Queue Queue the original 2022 IEEE Security & Privacy paper by Boureanu and Chothia for a deeper read on the protocol-level mechanics before your next NFC or contactless payment integration review.
- Focus Brief Draft a one-page internal brief summarizing the Visa-specific NFC risk for any team members who own payment-network integration decisions or mobile wallet feature work.
Frequently asked
- The attack uses a relay chain: an NFC reader placed near the victim's iPhone intercepts the Express Transit handshake, spoofs the identifier bytes that tell the phone it is communicating with a transit gate, and forwards the session to an Android device acting as a card emulator at a real payment terminal. Because Express Transit skips amount verification to achieve fast gate response times, the Secure Element authorizes whatever amount the attacker's terminal requests — in the demonstrated case, $10,000 — without any screen interaction or biometric prompt from the phone's owner.
cite ▸
APA
Hacktivist. (2026, April 18). A Known NFC Flaw Drained $10,000 From a Locked iPhone — Unfixed for 5 Years. Astrobobo Content Engine (rewrite of hackernoon). https://astrobobo-content-engine.vercel.app/article/a-known-nfc-flaw-drained-10-000-from-a-locked-iphone-unfixed-for-5-years-11c37d
MLA
Hacktivist. "A Known NFC Flaw Drained $10,000 From a Locked iPhone — Unfixed for 5 Years." Astrobobo Content Engine, 18 Apr 2026, https://astrobobo-content-engine.vercel.app/article/a-known-nfc-flaw-drained-10-000-from-a-locked-iphone-unfixed-for-5-years-11c37d. Based on "hackernoon", https://hackernoon.com/veritasium-stole-$10000-from-mkbhds-locked-iphone-apple-and-visa-knew-about-the-bug-for-5-years?source=rss.
BibTeX
@misc{astrobobo_a-known-nfc-flaw-drained-10-000-from-a-locked-iphone-unfixed-for-5-years-11c37d_2026,
author = {Hacktivist},
title = {A Known NFC Flaw Drained $10,000 From a Locked iPhone — Unfixed for 5 Years},
year = {2026},
url = {https://astrobobo-content-engine.vercel.app/article/a-known-nfc-flaw-drained-10-000-from-a-locked-iphone-unfixed-for-5-years-11c37d},
note = {Astrobobo rewrite of hackernoon, https://hackernoon.com/veritasium-stole-$10000-from-mkbhds-locked-iphone-apple-and-visa-knew-about-the-bug-for-5-years?source=rss},
}