Revealed: How to steal money from victims’ contactless Apple Pay wallets

Apple’s digital wallet Apple Pay will pay whatever amount is demanded of it, without authorization, if configured for transit mode with a Visa card, and exposed to a hostile contactless reader.

Boffins at the University of Birmingham and the University of Surrey in England have managed to find a way to remove the contactless payment limit on iPhones with Apple Pay and Visa cards if “Express Transit” mode has been enabled.

Express Transit mode enables Apple Pay transactions without unlocking an iPhone or requiring authentication. It’s intended as a convenience feature to facilitate charges when passing through public transit ticketing gates that support contactless readers like Europay, Mastercard, and Visa (EMV).

Our work shows a clear example of a feature … backfiring and negatively impacting security

“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said Dr Andreea-Ina Radu, in

