How Secure Is Tap To Pay?

Veritasium

15 Apr 202626:15

Summary

TLDRIn this intriguing video, MKBHD and his team demonstrate a sophisticated hack that bypasses the iPhone's lock screen to make unauthorized payments. Using a man-in-the-middle attack, they manipulate the communication between the phone and payment terminal, exploiting a flaw in Visa's system and Apple's Express Transit Mode. The hack enables large sums, like $10,000, to be stolen without customer verification. Despite being publicly known since 2021, the vulnerability remains unaddressed. The video raises concerns about security and whether companies like Apple and Visa are doing enough to protect users.

Takeaways

📱 MKBHD demonstrates a method to extract money from a locked iPhone using Apple Pay, showing that specific technical conditions can bypass device security.
🛠 The hack relies on a man-in-the-middle attack using a Proxmark NFC device, a Python script, and a burner phone to intercept and modify transaction data.
🚇 Express Transit Mode on iPhones allows low-value payments without unlocking the phone, which the hack exploits to bypass authentication.
💰 The team successfully authorized a $10,000 transaction without unlocking the phone by altering transaction data to appear low-value.
🔒 The hack manipulates three layers of defense: bypassing the lock screen, tricking the phone into accepting high-value payments as low-value, and deceiving the card reader into believing the payment was verified.
💳 The exploit only works with specific combinations: an iPhone using Express Transit Mode with a Visa card, due to Visa’s selective asymmetric cryptography checks.
🛡 MasterCard’s system would block this hack because it always uses asymmetric signature verification between card and reader.
⚠️ The information exchanged between phone and reader is unencrypted for compatibility reasons, which makes this type of tampering possible in controlled scenarios.
🛡 Consumers can mitigate risk by disabling Express Transit Mode or avoiding putting Visa cards in the transit slot of Apple Wallet.
💬 Visa’s stance is that fraudulent charges are unlikely at scale and cardholders are protected by their zero liability policy, but the hack highlights vulnerabilities that could cause stress and disruption even if refunds are issued.
🧑‍💻 Public disclosure of such vulnerabilities allows users to take precautions and encourages companies to address security gaps, even if full prevention is difficult.

Q & A

What was the main objective of the hack demonstrated on Marques Brownlee's iPhone?
-The main objective was to bypass the phone's lock screen and drain funds from his mobile wallet without unlocking the phone.
Which type of attack was used to intercept and modify the payment communication?
-A man-in-the-middle attack was used, where devices intercepted the communication between Marques's phone and the payment reader.
Why was the $10,000 transaction initially unusual for the phone's security checks?
-Because high-value transactions typically trigger customer verification such as a PIN, fingerprint, or facial recognition, which the hack had to bypass.
How does Apple’s Express Transit Mode contribute to this vulnerability?
-Express Transit Mode allows payments without unlocking the phone for transit, which was exploited to trick the phone into authorizing transactions without verification.
Why did this hack only work with a specific phone and card combination?
-It required an iPhone using Apple Pay in transit mode with a Visa card, because Visa's transaction verification process allowed bypassing the asymmetric cryptography layer under certain conditions, unlike other cards like MasterCard.
What role did the Proxmark device play in the hack?
-The Proxmark acted as an NFC intermediary, appearing as a legitimate reader to the phone and forwarding transaction data to a computer for modification.
How were high-value transactions misclassified as low-value?
-By intercepting the transaction data and flipping a single bit that indicates whether a transaction is high or low value, tricking the phone into authorizing a $10,000 payment as a low-value transaction.
Why didn’t the reader detect the manipulated transaction?
-The response from the phone falsely indicated that customer verification had occurred, and because the reader was online, it did not perform the asymmetric signature check, allowing the hack to succeed.
What measures can users take to prevent this type of attack?
-Users can turn off Express Transit Mode or avoid having a Visa card in the transit slot of Apple Wallet, which prevents this specific vulnerability from being exploited.
Why hasn’t Apple or Visa fully fixed this vulnerability despite it being public since 2021?
-Apple considers it a Visa system issue, and Visa believes the vulnerability is unlikely to be exploited at scale. They rely on customer protection policies and detection systems rather than implementing a complete technical fix.
What is the main reason asymmetric cryptography could have stopped the hack?
-Asymmetric cryptography involves a card signature verified by the reader using a public key. If the reader had checked this signature for the transaction, it would have detected the data tampering.
How does the hack illustrate the trade-off between convenience and security?
-Express Transit Mode and flexible high/low value transaction bits make payments faster and more convenient, but these features can be exploited to bypass authentication, highlighting a tension between usability and security.