{"id":102,"date":"2026-04-15T22:45:39","date_gmt":"2026-04-15T17:15:39","guid":{"rendered":"https:\/\/www.iamtiksha.com\/blog\/?p=102"},"modified":"2026-04-15T22:45:40","modified_gmt":"2026-04-15T17:15:40","slug":"can-someone-steal-10000-from-your-locked-iphone-the-0-security-loophole-you-need-to-know","status":"publish","type":"post","link":"https:\/\/www.iamtiksha.com\/blog\/can-someone-steal-10000-from-your-locked-iphone-the-0-security-loophole-you-need-to-know\/","title":{"rendered":"Can Someone Steal $10,000 From Your Locked iPhone? The $0 Security Loophole You Need to Know"},"content":{"rendered":"\n<p>Imagine you\u2019re sitting at a coffee shop. Your iPhone is sitting on the table, locked. You haven\u2019t touched it, you haven\u2019t scanned your FaceID, and you certainly haven\u2019t authorized a payment.<\/p>\n\n\n\n<p>Suddenly, a notification pops up: <strong>Transaction Approved: $10,000.<\/strong><\/p>\n\n\n\n<p>It sounds like a magic trick, but as Derek Muller from <em>Veritasium<\/em> recently demonstrated with tech reviewer MKBHD, it\u2019s a very real cyber-security vulnerability. In a stunning demo, they managed to &#8220;steal&#8221; five figures from a locked phone without ever entering a passcode.<\/p>\n\n\n\n<p>Here is the breakdown of how this &#8220;Man-in-the-Middle&#8221; attack works and why your specific choice of credit card might be putting you at risk.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">The &#8220;Express Transit&#8221; Vulnerability<\/h3>\n\n\n\n<p>The core of the hack lies in a feature we all love for its convenience: <strong>Express Transit Mode<\/strong>.<\/p>\n\n\n\n<p>Introduced to make commuting faster, this feature allows you to tap your phone at a subway turnstile or bus reader without needing to wake or unlock your device [<a target=\"_blank\" rel=\"noreferrer noopener\" href=\"http:\/\/www.youtube.com\/watch?v=PPJ6NJkmDAo&amp;t=385\">06:25<\/a>]. To make this work, the phone is programmed to &#8220;trust&#8221; any reader that identifies itself as a transit terminal.<\/p>\n\n\n\n<p>By using a specialized device (a ProxMark), the hackers broadcast a code that tricks the iPhone into thinking it\u2019s at a subway gate. The phone then automatically opens its &#8220;Transit Slot&#8221; and prepares to pay\u2014no biometric verification required.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Three Lies of the Hack<\/h3>\n\n\n\n<p>To pull off a $10,000 theft, the hackers used a Python script to tell three specific &#8220;lies&#8221; to the devices involved:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>&#8220;I am a subway gate&#8221;:<\/strong> They tricked the phone into bypassing the lock screen by mimicking a transit reader [<a href=\"http:\/\/www.youtube.com\/watch?v=PPJ6NJkmDAo&amp;t=431\" target=\"_blank\" rel=\"noreferrer noopener\">07:11<\/a>].<\/li>\n\n\n\n<li><strong>&#8220;This is a low-value transaction&#8221;:<\/strong> Usually, high-value payments (like $10,000) trigger a request for a PIN or FaceID. The hackers intercepted the data and flipped a single &#8220;bit&#8221; from 1 to 0, telling the phone the transaction was &#8220;low value,&#8221; even though the amount was huge [<a href=\"http:\/\/www.youtube.com\/watch?v=PPJ6NJkmDAo&amp;t=599\" target=\"_blank\" rel=\"noreferrer noopener\">09:59<\/a>].<\/li>\n\n\n\n<li><strong>&#8220;The user verified this&#8221;:<\/strong> Finally, they lied to the actual payment terminal. When the phone sent back the approval, the hackers modified the message to tell the reader that the customer <em>had<\/em> verified the payment on their device [<a href=\"http:\/\/www.youtube.com\/watch?v=PPJ6NJkmDAo&amp;t=681\" target=\"_blank\" rel=\"noreferrer noopener\">11:21<\/a>].<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Why Only Certain Users Are at Risk<\/h3>\n\n\n\n<p>The most frustrating part of this discovery? It only works on a specific combination: <strong>An iPhone paired with a Visa card.<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Samsung\/Android:<\/strong> Unlike Apple, Samsung phones check the numerical value of the transaction. If a transit reader asks for more than $0.00, the phone rejects it immediately [<a href=\"http:\/\/www.youtube.com\/watch?v=PPJ6NJkmDAo&amp;t=891\" target=\"_blank\" rel=\"noreferrer noopener\">14:51<\/a>].<\/li>\n\n\n\n<li><strong>Mastercard:<\/strong> Mastercard requires an &#8220;asymmetric signature&#8221; for every transaction. This cryptographic check would have caught the modified data bits and blocked the payment. <strong>Visa<\/strong>, however, often skips this layer of security for online transactions to prioritize speed [<a href=\"http:\/\/www.youtube.com\/watch?v=PPJ6NJkmDAo&amp;t=1150\" target=\"_blank\" rel=\"noreferrer noopener\">19:10<\/a>].<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Is This Happening in the Real World?<\/h3>\n\n\n\n<p>When Veritasium reached out to <strong>Apple<\/strong> and <strong>Visa<\/strong>, the response was essentially: <em>&#8220;It\u2019s a known issue, but it&#8217;s very unlikely to happen at scale&#8221;<\/em> [<a target=\"_blank\" rel=\"noreferrer noopener\" href=\"http:\/\/www.youtube.com\/watch?v=PPJ6NJkmDAo&amp;t=1333\">22:13<\/a>]. Visa pointed out that they have a &#8220;Zero Liability Policy,&#8221; meaning if you <em>were<\/em> hacked, you&#8217;d eventually get your money back.<\/p>\n\n\n\n<p>However, as Derek rightly points out, &#8220;eventually&#8221; doesn&#8217;t help when you can&#8217;t pay your rent because $10,000 is missing from your account while you wait for a bank dispute to settle [<a target=\"_blank\" rel=\"noreferrer noopener\" href=\"http:\/\/www.youtube.com\/watch?v=PPJ6NJkmDAo&amp;t=1504\">25:04<\/a>].<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How to Protect Yourself<\/h3>\n\n\n\n<p>If you want to close this loophole today, you have two main options:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Check your Express Transit settings:<\/strong> Go to <em>Settings > Wallet &amp; Apple Pay > Express Transit Card<\/em>. Either turn it off or ensure the card selected is <strong>not<\/strong> a Visa.<\/li>\n\n\n\n<li><strong>Switch your Transit Card:<\/strong> If you must use Express Transit, consider using a Mastercard or a prepaid travel card instead of your primary Visa credit card.<\/li>\n<\/ol>\n\n\n\n<p>Security is always a trade-off with convenience. Express Transit is a brilliant feature, but as this hack proves, &#8220;frictionless&#8221; payments sometimes mean there&#8217;s no friction to stop a thief, either.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>What do you think? Is the convenience of &#8220;Tap and Go&#8221; worth the security risk? Let us know in the comments!<\/strong><\/p>\n\n\n\n<p><em>Watch the full deep dive over at <a href=\"https:\/\/www.google.com\/search?q=https:\/\/www.youtube.com\/watch%3Fv%3DPPJ6NJkmDAo\" target=\"_blank\" rel=\"noreferrer noopener\">Veritasium<\/a>.<\/em><\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Can you steal $10,000 from a locked iPhone?\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/PPJ6NJkmDAo?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Could a stranger swipe $10,000 from your iPhone while it\u2019s still in your pocket? In a mind-bending collaboration with MKBHD, Veritasium exposes a massive security loophole involving Apple Pay and Visa. From &#8216;Man-in-the-Middle&#8217; attacks to the hidden risks of Express Transit mode, we\u2019re breaking down how this hack works\u2014and the simple setting you need to change today to keep your bank account safe.<\/p>\n","protected":false},"author":1,"featured_media":103,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[207,165,121,211,215,214,208,212,213,162,17,209,210],"class_list":["post-102","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curiosities","tag-apple-pay","tag-cybersecurity","tag-digital-fraud","tag-express-transit-mode","tag-finance-security","tag-hackers","tag-iphone-security","tag-mkbhd","tag-mobile-wallet","tag-online-safety","tag-tech-news","tag-veritasium","tag-visa"],"_links":{"self":[{"href":"https:\/\/www.iamtiksha.com\/blog\/wp-json\/wp\/v2\/posts\/102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.iamtiksha.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.iamtiksha.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.iamtiksha.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.iamtiksha.com\/blog\/wp-json\/wp\/v2\/comments?post=102"}],"version-history":[{"count":1,"href":"https:\/\/www.iamtiksha.com\/blog\/wp-json\/wp\/v2\/posts\/102\/revisions"}],"predecessor-version":[{"id":104,"href":"https:\/\/www.iamtiksha.com\/blog\/wp-json\/wp\/v2\/posts\/102\/revisions\/104"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.iamtiksha.com\/blog\/wp-json\/wp\/v2\/media\/103"}],"wp:attachment":[{"href":"https:\/\/www.iamtiksha.com\/blog\/wp-json\/wp\/v2\/media?parent=102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.iamtiksha.com\/blog\/wp-json\/wp\/v2\/categories?post=102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.iamtiksha.com\/blog\/wp-json\/wp\/v2\/tags?post=102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}