Apple Pay Express Mode for Transit, When Used With a Visa Card, Is Vulnerable to Scam Tap-to-Pay Readers

Apple Pay’s Express Transit Mode was designed to speed up commuter payments by allowing a tap‑and‑go experience even when the device is locked. The feature leverages the iPhone’s NFC chip to communicate directly with transit validators, bypassing the need for biometric authentication. While convenient, this architecture also creates a narrow attack surface: the NFC handshake can be mimicked by external hardware that pretends to be a legitimate transit terminal. For users who have linked a Visa card, this opens a pathway for malicious actors to inject fraudulent transaction data and siphon money from the device’s mobile wallet.

The vulnerability was uncovered by a joint effort from the University of Surrey and the University of Birmingham, who built a custom NFC reader that captures the data exchange between an iPhone and a transit validator. By tuning the reader to the exact identifier used by a transit system, the device can convince the iPhone that a legitimate payment is occurring. The captured data is then relayed to a burner phone, which completes the transaction on a real payment terminal, effectively moving funds without the user’s consent. The researchers demonstrated the exploit by extracting $10,000 from YouTuber Marques Brownlee’s locked iPhone, highlighting that the attack can bypass Apple’s usual transaction limits. However, the method requires physical proximity, specialized equipment, and works only with Visa cards, as Mastercard and American Express employ different security protocols.

For the broader market, the flaw underscores the importance of layered security in contactless payments. Visa has responded by emphasizing its zero‑liability policy, assuring cardholders that disputed charges can be reversed. Apple, meanwhile, maintains that the issue resides in Visa’s backend and is unlikely to be exploited at scale. Consumers can mitigate risk by disabling Express Transit for Visa cards or opting for alternative payment methods such as Mastercard, Amex, or Samsung Pay. The episode also pressures payment networks to tighten authentication checks for transit‑specific NFC transactions, ensuring that convenience does not come at the expense of security.