iPhone NFC Hack Exposes Visa Vulnerability, Allowing Funds Theft

Researchers demonstrate complex exploit to steal from locked iPhones, but real-world risk is low

Apr. 16, 2026 at 2:38am

Got story updates? Submit your updates here. ›

A highly detailed, glowing 3D macro illustration of a futuristic NFC payment terminal with neon cyan and magenta lights, conceptually representing the complex digital infrastructure behind mobile payments.The vulnerability in Visa's payment system exposes the complex digital infrastructure behind mobile payments, raising concerns about the need for enhanced security protocols.Today in Birmingham

Cybersecurity researchers have discovered a vulnerability in the Visa payment system that allows attackers to potentially steal funds from a locked iPhone using Near Field Communication (NFC) technology. The exploit leverages the iPhone's Express Transit Mode feature to bypass security checks and initiate fraudulent transactions. While the attack is complex and unlikely to occur in everyday scenarios, it highlights potential risks within the Apple Pay and Visa ecosystem.

Why it matters

This vulnerability underscores the need for ongoing security improvements in mobile payment systems as they become increasingly prevalent. While Apple and Visa maintain that the real-world risk is low, the discovery of this exploit serves as a reminder for users to stay vigilant about their payment security and the importance of payment networks continuously enhancing their protocols to protect against emerging threats.

The details

The attack, demonstrated by researchers from the University of Surrey and the University of Birmingham, involves tricking the iPhone into believing it is interacting with a legitimate transit terminal. This allows the attacker to bypass the usual security checks and initiate a fraudulent transaction. The process requires specialized hardware, including a modified NFC card reader connected to a laptop, and a 'burner' phone to complete the fraudulent transaction.

  • The vulnerability was first publicly disclosed in 2021 by researchers from the University of Surrey.

The players

University of Surrey

A public research university located in Guildford, England, that conducted research into the iPhone NFC vulnerability.

University of Birmingham

A public research university located in Birmingham, England, that collaborated with the University of Surrey on the research into the iPhone NFC vulnerability.

Visa

A global payments technology company whose payment system was found to be the core of the vulnerability, allowing attackers to bypass security checks on locked iPhones.

Apple

The technology company behind the iPhone, which has stated that the issue lies with the Visa system, not the iPhone itself.

Marques Brownlee (MKBHD)

A popular YouTuber whose locked iPhone was used in the demonstration of the exploit, with $10,000 stolen from his account.

Got photos? Submit your photos here. ›

What they’re saying

“We must not let individuals continue to damage private property in San Francisco.”

— Robert Jenkins, San Francisco resident

What’s next

Apple and Visa are expected to work together to address the vulnerability and enhance the security protocols within the Apple Pay and Visa payment ecosystem to prevent similar attacks in the future.

The takeaway

This case highlights the ongoing need for robust security measures in mobile payment systems as they become increasingly ubiquitous. While the real-world risk of this specific exploit may be low, it serves as a reminder for users to stay vigilant about their payment security and for payment networks to continuously improve their protocols to protect against emerging threats.