Tap to Pay Has a Real Security Flaw — Here's How It Works
Quick Summary
A locked iPhone can be charged thousands of dollars without your knowledge. Here's the exact flaw in tap to pay NFC payments — and what you can do about it.
In This Article
The Payment You Never Approved
Imagine setting your locked phone face-down on a café table. No fingerprint scan. No Face ID prompt. No notification asking you to confirm anything. And yet, somewhere in the background, $10,000 just left your account.
Related Post
This is not a hypothetical. It is a documented, reproducible security vulnerability in tap to pay systems — specifically targeting iPhones with a Visa card loaded into Apple Pay's transit slot. Cybersecurity researchers at the University of Surrey published this attack in 2021. It has not been fully patched. And most people who use contactless payments every day have no idea it exists.
Understanding this flaw does not require a computer science degree. It requires understanding three small lies — and why the systems we trust are designed in a way that makes those lies disturbingly easy to tell.
What Tap to Pay Actually Does When You Pay
Contactless payments use Near Field Communication, or NFC — a short-range wireless technology that lets your phone and a payment terminal exchange data by passing a shared magnetic field between them. When you tap your phone to pay, the two devices have a rapid back-and-forth conversation: the reader identifies itself, your phone checks its wallet, they exchange cryptographic data, and the bank approves or declines.
Under normal conditions, that conversation is secure enough. Your phone verifies the reader is legitimate. The bank verifies the card data is authentic. Cryptographic signatures make sure nothing has been tampered with in transit.
The problem is that parts of this conversation are not encrypted. Certain control bits — small individual pieces of data that act as flags or instructions — travel in plain text. They tell the devices things like: is this a high-value or low-value transaction? Has the customer verified the payment? Is the reader online or offline?
Those unencrypted bits are exactly where the attack lives.
The Three Lies at the Heart of the Tap to Pay Exploit
The attack is technically classified as a man-in-the-middle attack. Two devices — a Proxmark NFC tool and a burner phone — are placed between the victim's phone and the legitimate card reader. All communication between the two real devices passes through this interception layer, where a Python script modifies specific bits before passing the data along.
Here is how the three layers of deception work:
Lie one: convincing the phone it is a transit reader. Apple introduced Express Transit Mode in 2019 to let commuters tap through subway gates without unlocking their phone. Transit terminals broadcast a specific code that iPhones recognise, triggering the transit card in Apple Pay to activate automatically. Researchers discovered this code by sitting near London Underground gates with scanning equipment and recording the signal. With that code, you can make any iPhone think it is standing at a subway turnstile — no unlocking required.
Lie two: disguising a $10,000 charge as a low-value transaction. Once the phone is in transit mode, it will process small payments without asking for verification. But ask for thousands of dollars and a second defence kicks in — a customer verification requirement. The phone determines whether a transaction is high value or low value not by reading the actual dollar amount, but by checking a single binary bit in the transaction data. A 1 means high value. A 0 means low. The man-in-the-middle script simply flips that bit. The phone sees a zero, assumes the transaction is low value, and authorises it without asking for a pin, fingerprint, or Face ID — regardless of the actual amount.
Lie three: telling the reader the customer already verified the payment. The phone sends its authorisation to the reader, but it also honestly reports that no customer verification took place. A legitimate reader would reject this for a high-value transaction. So the script intercepts the phone's response and flips another bit — this one indicating that customer verification was completed on the device. The reader sees a verified transaction, forwards it to the bank, and the bank approves it. The bank has no reason to doubt a message that appears fully authenticated.
Three bit flips. That is the entire attack.
Why iPhones with Visa Cards Are the Specific Target
Not every phone and card combination is vulnerable. The exploit requires two specific conditions to align.
Continue Reading
Related Guides
Keep exploring this topic
First, it must be an iPhone. When Samsung devices enter transit mode, they do not rely on the high-value or low-value label from the reader. Instead, they check the actual numerical value of the transaction and only accept a charge of zero dollars — leaving the transport provider to bill separately at the end of the journey. A Samsung phone asked to pay $10,000 through a transit terminal would immediately refuse.
Second, the card in the transit slot must be a Visa card, not a Mastercard. The difference comes down to how each network handles a second layer of authentication between the card and the reader, separate from the bank verification. Mastercard uses asymmetric cryptography at this stage — a digital signature that the reader can independently verify using a public key. This signature is tied to the specific transaction data, so if any of that data is altered in transit, the signature will no longer match and the reader rejects the payment.
Visa, in this particular scenario, does not apply that same reader-level signature check. That absence is the loophole. It is not a bug in the traditional sense — it is the unintended consequence of mixing two systems, each individually reasonable, that together create an exploitable gap.
Why This Has Not Been Fixed After Five Years
The University of Surrey researchers disclosed this vulnerability responsibly in 2021. Apple and Visa were both informed. And yet the vulnerability persists. Why?
The answer lies in the infrastructure that contactless payments depend on. The communication protocols between phones, readers, and banks have to be compatible across hundreds of thousands of devices worldwide — point-of-sale terminals in supermarkets, transit gates on subway networks, parking meters, vending machines. Issuing a comprehensive patch that changes how control bits are transmitted and verified would require coordinated updates across an entire global ecosystem. That does not happen quickly.
There is also a question of incentive. Financial institutions typically absorb fraud losses rather than pass them directly to consumers — at least in markets with strong consumer protection laws. When the cost of fraud is socialised across millions of customers through fees and margins, the urgency to fix any individual attack vector is diluted.
This does not make the vulnerability acceptable. It makes it a systemic problem hiding behind the illusion that the payment system is already secure enough.
What You Can Actually Do to Protect Yourself
The honest answer is that most of the protective measures here sit with Apple and Visa, not with you. But there are practical steps worth taking.
Review your Express Transit settings. On an iPhone, go to Settings → Wallet & Apple Pay → Express Transit Card. Consider whether you actually need a card assigned to that slot. If you rarely use transit payments or live in an area where this is not a daily need, removing the transit card eliminates the attack surface entirely. You will have to unlock your phone to pay for transit, but you will also remove the bypass that makes this exploit possible.
Check which card is in your transit slot. If you do use Express Transit, consider whether a Mastercard or another non-Visa network card is available to you. As established, the vulnerability is specific to the iPhone-plus-Visa combination in this configuration.
Monitor your transactions actively. Most major banks and card providers offer instant push notifications for every transaction. Enabling these means that even if a fraudulent charge slips through, you will know within seconds and can begin a dispute process immediately.
Be sceptical of your physical surroundings. The attack requires physical proximity — typically close enough to tap a Proxmark against your phone or bag. Crowded public transport, busy queues, and festival environments are the natural hunting grounds for this kind of attack. Keeping your phone in an interior pocket rather than an outer bag pocket reduces but does not eliminate proximity risk.
The Bigger Picture: Security Theatre in the Payment System
What this vulnerability reveals is not that contactless payments are hopelessly broken. The vast majority of transactions every day are processed securely. What it reveals is something more uncomfortable: the security of the global payment system is not a single wall but a patchwork of overlapping controls, each with its own gaps, and the gaps sometimes align.
Recommended
Top picks for this topic
reMarkable 2 Paper Tablet
The closest thing to writing on paper. Zero distractions. The best tool for thinkers and note-takers.
Logitech MX Keys S Keyboard
Smart illuminated keyboard for multi-device power users. Backlit, comfortable, works across Mac/PC/mobile.
As an affiliate, Zeebrain may earn a commission on qualifying purchases at no extra cost to you. We only recommend products we genuinely stand behind.
Free Weekly Newsletter
Enjoying this guide?
Get the best articles like this one delivered to your inbox every week. No spam.
Express Transit Mode was designed to solve a genuine user experience problem. The high-value or low-value label was designed to provide flexibility across different currencies and regulatory environments. Visa's verification process is the result of decades of engineering decisions made by different teams in different eras. None of these choices were reckless in isolation.
But security is not evaluated in isolation. It is evaluated against real adversaries who look specifically for the places where sensible individual decisions add up to a system-level flaw. The three-bit-flip attack on tap to pay is a clean example of that principle in action.
Until the underlying protocol is updated — which requires industry-wide coordination — the fix available to individual users is awareness. Knowing this vulnerability exists, knowing which conditions make you susceptible, and adjusting your settings accordingly is not a perfect defence. But it is the one that is actually available right now.
Frequently Asked Questions
Does this tap to pay hack work on all iPhones?
The vulnerability applies to iPhones using Apple Pay's Express Transit Mode with a Visa card assigned to the transit slot. It does not require a specific iPhone model — the issue is in how Apple's Express Transit Mode handles the high-value or low-value transaction flag in NFC communication, which is consistent across iPhones that support this feature.
Can Android or Samsung phones be targeted in the same way?
No. Samsung devices handle transit mode differently — they check the actual numerical value of the transaction rather than relying on a binary high or low value label from the reader. A Samsung phone in transit mode will only accept a charge of zero dollars per tap, making it immune to this specific exploit.
Is Visa less secure than Mastercard overall?
Not in any general sense. The difference relevant here is that in this specific scenario — an iPhone in Express Transit Mode — Mastercard applies an additional layer of asymmetric cryptographic verification between the card and the reader. This signature check detects any data tampering in transit and rejects the transaction. Visa does not apply this check in the same configuration, which is what creates the exploitable gap. Both networks have strong security across their broader systems.
What should I do if I think I have been charged fraudulently through tap to pay?
Contact your bank or card issuer immediately. Most contactless payment fraud falls under consumer protection rules that entitle you to a full refund provided you report it promptly and confirm you did not authorise the transaction. Enable real-time transaction notifications on your banking app to catch any suspicious activity as quickly as possible.
Has Apple or Visa issued a fix for this vulnerability?
As of the time of writing, the vulnerability disclosed by University of Surrey researchers in 2021 has not been fully patched. The complexity of updating interconnected global payment infrastructure means comprehensive fixes take years to implement. Apple has acknowledged the research. The most reliable individual mitigation remains removing the Visa card from the Express Transit slot in your iPhone's Wallet settings.
Frequently Asked Questions
The Payment You Never Approved
Imagine setting your locked phone face-down on a café table. No fingerprint scan. No Face ID prompt. No notification asking you to confirm anything. And yet, somewhere in the background, $10,000 just left your account.
This is not a hypothetical. It is a documented, reproducible security vulnerability in tap to pay systems — specifically targeting iPhones with a Visa card loaded into Apple Pay's transit slot. Cybersecurity researchers at the University of Surrey published this attack in 2021. It has not been fully patched. And most people who use contactless payments every day have no idea it exists.
Understanding this flaw does not require a computer science degree. It requires understanding three small lies — and why the systems we trust are designed in a way that makes those lies disturbingly easy to tell.
What Tap to Pay Actually Does When You Pay
Contactless payments use Near Field Communication, or NFC — a short-range wireless technology that lets your phone and a payment terminal exchange data by passing a shared magnetic field between them. When you tap your phone to pay, the two devices have a rapid back-and-forth conversation: the reader identifies itself, your phone checks its wallet, they exchange cryptographic data, and the bank approves or declines.
Under normal conditions, that conversation is secure enough. Your phone verifies the reader is legitimate. The bank verifies the card data is authentic. Cryptographic signatures make sure nothing has been tampered with in transit.
The problem is that parts of this conversation are not encrypted. Certain control bits — small individual pieces of data that act as flags or instructions — travel in plain text. They tell the devices things like: is this a high-value or low-value transaction? Has the customer verified the payment? Is the reader online or offline?
Those unencrypted bits are exactly where the attack lives.
The Three Lies at the Heart of the Tap to Pay Exploit
The attack is technically classified as a man-in-the-middle attack. Two devices — a Proxmark NFC tool and a burner phone — are placed between the victim's phone and the legitimate card reader. All communication between the two real devices passes through this interception layer, where a Python script modifies specific bits before passing the data along.
Here is how the three layers of deception work:
Lie one: convincing the phone it is a transit reader. Apple introduced Express Transit Mode in 2019 to let commuters tap through subway gates without unlocking their phone. Transit terminals broadcast a specific code that iPhones recognise, triggering the transit card in Apple Pay to activate automatically. Researchers discovered this code by sitting near London Underground gates with scanning equipment and recording the signal. With that code, you can make any iPhone think it is standing at a subway turnstile — no unlocking required.
Lie two: disguising a $10,000 charge as a low-value transaction. Once the phone is in transit mode, it will process small payments without asking for verification. But ask for thousands of dollars and a second defence kicks in — a customer verification requirement. The phone determines whether a transaction is high value or low value not by reading the actual dollar amount, but by checking a single binary bit in the transaction data. A 1 means high value. A 0 means low. The man-in-the-middle script simply flips that bit. The phone sees a zero, assumes the transaction is low value, and authorises it without asking for a pin, fingerprint, or Face ID — regardless of the actual amount.
Lie three: telling the reader the customer already verified the payment. The phone sends its authorisation to the reader, but it also honestly reports that no customer verification took place. A legitimate reader would reject this for a high-value transaction. So the script intercepts the phone's response and flips another bit — this one indicating that customer verification was completed on the device. The reader sees a verified transaction, forwards it to the bank, and the bank approves it. The bank has no reason to doubt a message that appears fully authenticated.
Three bit flips. That is the entire attack.
Why iPhones with Visa Cards Are the Specific Target
Not every phone and card combination is vulnerable. The exploit requires two specific conditions to align.
First, it must be an iPhone. When Samsung devices enter transit mode, they do not rely on the high-value or low-value label from the reader. Instead, they check the actual numerical value of the transaction and only accept a charge of zero dollars — leaving the transport provider to bill separately at the end of the journey. A Samsung phone asked to pay $10,000 through a transit terminal would immediately refuse.
Second, the card in the transit slot must be a Visa card, not a Mastercard. The difference comes down to how each network handles a second layer of authentication between the card and the reader, separate from the bank verification. Mastercard uses asymmetric cryptography at this stage — a digital signature that the reader can independently verify using a public key. This signature is tied to the specific transaction data, so if any of that data is altered in transit, the signature will no longer match and the reader rejects the payment.
Visa, in this particular scenario, does not apply that same reader-level signature check. That absence is the loophole. It is not a bug in the traditional sense — it is the unintended consequence of mixing two systems, each individually reasonable, that together create an exploitable gap.
Why This Has Not Been Fixed After Five Years
The University of Surrey researchers disclosed this vulnerability responsibly in 2021. Apple and Visa were both informed. And yet the vulnerability persists. Why?
The answer lies in the infrastructure that contactless payments depend on. The communication protocols between phones, readers, and banks have to be compatible across hundreds of thousands of devices worldwide — point-of-sale terminals in supermarkets, transit gates on subway networks, parking meters, vending machines. Issuing a comprehensive patch that changes how control bits are transmitted and verified would require coordinated updates across an entire global ecosystem. That does not happen quickly.
There is also a question of incentive. Financial institutions typically absorb fraud losses rather than pass them directly to consumers — at least in markets with strong consumer protection laws. When the cost of fraud is socialised across millions of customers through fees and margins, the urgency to fix any individual attack vector is diluted.
This does not make the vulnerability acceptable. It makes it a systemic problem hiding behind the illusion that the payment system is already secure enough.
What You Can Actually Do to Protect Yourself
The honest answer is that most of the protective measures here sit with Apple and Visa, not with you. But there are practical steps worth taking.
Review your Express Transit settings. On an iPhone, go to Settings → Wallet & Apple Pay → Express Transit Card. Consider whether you actually need a card assigned to that slot. If you rarely use transit payments or live in an area where this is not a daily need, removing the transit card eliminates the attack surface entirely. You will have to unlock your phone to pay for transit, but you will also remove the bypass that makes this exploit possible.
Check which card is in your transit slot. If you do use Express Transit, consider whether a Mastercard or another non-Visa network card is available to you. As established, the vulnerability is specific to the iPhone-plus-Visa combination in this configuration.
Monitor your transactions actively. Most major banks and card providers offer instant push notifications for every transaction. Enabling these means that even if a fraudulent charge slips through, you will know within seconds and can begin a dispute process immediately.
Be sceptical of your physical surroundings. The attack requires physical proximity — typically close enough to tap a Proxmark against your phone or bag. Crowded public transport, busy queues, and festival environments are the natural hunting grounds for this kind of attack. Keeping your phone in an interior pocket rather than an outer bag pocket reduces but does not eliminate proximity risk.
The Bigger Picture: Security Theatre in the Payment System
What this vulnerability reveals is not that contactless payments are hopelessly broken. The vast majority of transactions every day are processed securely. What it reveals is something more uncomfortable: the security of the global payment system is not a single wall but a patchwork of overlapping controls, each with its own gaps, and the gaps sometimes align.
Express Transit Mode was designed to solve a genuine user experience problem. The high-value or low-value label was designed to provide flexibility across different currencies and regulatory environments. Visa's verification process is the result of decades of engineering decisions made by different teams in different eras. None of these choices were reckless in isolation.
But security is not evaluated in isolation. It is evaluated against real adversaries who look specifically for the places where sensible individual decisions add up to a system-level flaw. The three-bit-flip attack on tap to pay is a clean example of that principle in action.
Until the underlying protocol is updated — which requires industry-wide coordination — the fix available to individual users is awareness. Knowing this vulnerability exists, knowing which conditions make you susceptible, and adjusting your settings accordingly is not a perfect defence. But it is the one that is actually available right now.
Frequently Asked Questions
Does this tap to pay hack work on all iPhones?
The vulnerability applies to iPhones using Apple Pay's Express Transit Mode with a Visa card assigned to the transit slot. It does not require a specific iPhone model — the issue is in how Apple's Express Transit Mode handles the high-value or low-value transaction flag in NFC communication, which is consistent across iPhones that support this feature.
Can Android or Samsung phones be targeted in the same way?
No. Samsung devices handle transit mode differently — they check the actual numerical value of the transaction rather than relying on a binary high or low value label from the reader. A Samsung phone in transit mode will only accept a charge of zero dollars per tap, making it immune to this specific exploit.
Is Visa less secure than Mastercard overall?
Not in any general sense. The difference relevant here is that in this specific scenario — an iPhone in Express Transit Mode — Mastercard applies an additional layer of asymmetric cryptographic verification between the card and the reader. This signature check detects any data tampering in transit and rejects the transaction. Visa does not apply this check in the same configuration, which is what creates the exploitable gap. Both networks have strong security across their broader systems.
What should I do if I think I have been charged fraudulently through tap to pay?
Contact your bank or card issuer immediately. Most contactless payment fraud falls under consumer protection rules that entitle you to a full refund provided you report it promptly and confirm you did not authorise the transaction. Enable real-time transaction notifications on your banking app to catch any suspicious activity as quickly as possible.
Has Apple or Visa issued a fix for this vulnerability?
As of the time of writing, the vulnerability disclosed by University of Surrey researchers in 2021 has not been fully patched. The complexity of updating interconnected global payment infrastructure means comprehensive fixes take years to implement. Apple has acknowledged the research. The most reliable individual mitigation remains removing the Visa card from the Express Transit slot in your iPhone's Wallet settings.
About Zeebrain Editorial
Our editorial team is dedicated to providing clear, well-researched, and high-utility content for the modern digital landscape. We focus on accuracy, practicality, and insights that matter.
More from Science & Tech
Explore More Categories
Keep browsing by topic and build depth around the subjects you care about most.