Security News > 2021 > September > Apple Pay with VISA lets hackers force payments on locked iPhones
Academic researchers have found a way to make fraudulent payments using Apple Pay from a locked iPhone with a Visa card in the digital wallet with express mode enabled.
Apple Pay solved the problem with Express Transit, a feature that allows a transaction to go through without unlocking the device.
In combination with a Visa card, "This feature can be leveraged to bypass the Apple Pay lock screen, and illicitly pay from a locked iPhone, using a Visa card, to any EMV reader, for any amount, without user authorisation."
During the experiment, the researchers were able to make a GBP 1,000 transaction from a locked iPhone.
With Mastercard, a check is performed to make sure that a locked iPhone accepts transactions only from card readers with a transit merchant code.
Trying the method with Samsung Pay, the researchers found that transactions are always possible with locked Samsung devices.
News URL
Related news
- Apple Patches Actively Exploited Zero-Day Affecting iPhones, Macs, and More (source)
- Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) (source)
- SLAP, Apple, and FLOP: Safari, Chrome at risk of data theft on iPhone, Mac, iPad Silicon (source)
- Week in review: Apple 0-day used to target iPhones, DeepSeek’s popularity exploited by scammers (source)
- First Apple-notarized porn app available to iPhone users in Europe (source)