Can you steal $10,000 from a locked iPhone?

TL;DR

Yes — cybersecurity researchers demonstrated a man-in-the-middle NFC attack that drains $10,000 from a locked iPhone using three flipped data bits.

Key Points

• 1.The attack works via a man-in-the-middle NFC relay. A Proxmark device intercepts communication between the iPhone and a payment terminal, routing it through a laptop running a Python script, then to a burner phone — making each end think it's talking directly to the other.
• 2.Lie #1 exploits Apple's Express Transit Mode. The Proxmark broadcasts the same code used by London Underground gates, tricking the iPhone into thinking it's a transit reader and bypassing the lock screen entirely — no Face ID or PIN required.
• 3.Lie #2 flips a single bit to disguise $10,000 as a low-value transaction. The iPhone doesn't check the numerical amount; it reads one binary flag. Changing that bit from 1 to 0 suppresses the customer verification step even for a $10,000 charge.
• 4.Lie #3 tells the reader the customer verified the payment. The phone's response says no verification occurred, which the reader would reject — so the attackers flip that bit too, convincing the reader the transaction is legitimate before it forwards to the bank.
• 5.The hack only works on iPhones with a Visa card in the transit slot. Samsung phones check the actual transaction value in transit mode and reject anything above $0. MasterCard uses asymmetric RSA cryptography to sign transaction data, which would expose the tampered bits and block the attack — Visa skips this check when the reader is online.
• 6.This vulnerability was publicly disclosed in 2021 by Professors Ioana Boureanu and Tom Chothia at the University of Surrey. Apple's response blamed Visa; Visa cited its zero-liability refund policy and argued the attack is unlikely at scale, with in-person fraud costing only 2 cents per $100 spent — neither company has implemented a technical fix in five years.
• 7.Users can protect themselves by removing Visa cards from Express Transit Mode. Any eligible Visa card added to Apple Wallet enables Express Transit Mode by default; disabling it requires a manual setting change, and without it the locked-phone attack cannot initiate.