Ranked as the most popular digital payment service on the planet, Apple Pay is trusted by 785 million users to carry out both online and in-store transactions worldwide. Today, it accounts for 14.2% of all payments made online, with user adoption expected to climb through 2030, but should users trust it? A new bombshell revelation proves that Apple Pay is vulnerable to unauthorized transactions, and it has been broken for half a decade, with no software patch in sight.
The Apple Pay heist of the century
In mid-April, popular tech YouTuber Marques Brownlee (aka MKBHD) met with a researcher at Veritasium to conduct an experiment. The goal? To steal $10,000 from Marques’ Apple Pay account without his authorization — no password authentication, no FaceID detection, nothing.
The entire process takes less than 10 seconds.
The heist was pulled off using nothing but a MacBook, a burner phone, a wireless NFC reader called a Proxmark, and Marques’ iPhone, which was locked, secured, and seemingly impenetrable by Apple’s security standards.
Yet, as you can see in the live demonstration, Veritasium did the impossible. They initiated a transaction that successfully moved $10,000 out of Marques’ iPhone and into Veritasium’s account, much to the surprise of MKBHD himself.
How to steal $10,000 from Apple Pay
Later in the video, Veritasium explains how the flaw works.
First, the target iPhone must sit atop the Proxmark (the wireless NFC reader), which acts as a middleman between the target iPhone and the actual card reader. The Proxmark tricks the iPhone into thinking it is talking to a typical card reader — the same kind you tap with your phone or card at a grocery store — and requests the amount of money set by the hacker, in this case $10,000. The iPhone recognizes the request and sends the transaction data over to be processed on the connected MacBook, which then sends the data to a nearby burner phone that serves as the payment recipient device. The transaction is automatically verified through Apple’s Express Mode (which doesn’t require user authentication), and the payment is complete, removing the money from the target iPhone sitting on the reader and putting it into the hands of the hacker.
Although there are several steps involved, the entire process takes less than 10 seconds, or about as long as it would take to issue a legitimate wireless payment at a store with Apple Pay.
The shocking part? This major Apple Pay flaw was originally found all the way back in 2021, and there is still currently no remediation in place. Every iPhone with Apple Pay enabled is potentially vulnerable, and a hacker could theoretically steal the entire debit card sum or credit card limit of the main card in your Apple Wallet.
Are you at risk?
There are several important factors to determine whether you are in any danger of NFC-related theft.
First and foremost, the hack detailed in the video only works on Apple Pay. That means if you own an Android device, you are safe. Google Pay and/or Samsung Pay are not affected by this exploit.
If you own an iPhone, there is one more factor that will determine your risk. The hack requires you to have a Visa credit or debit card set as the default card in your wallet. It will not work if payments default to a Mastercard!
How to protect yourself from this Apple Pay exploit
To change your default card, open the Wallet app, hold your finger on the card you want to set, and drag it to the bottom of the card stack until you see the full face of the card displayed. To remove a card, tap on the card, then select the three dots in the top right corner, followed by “Card Details.” Scroll to the bottom of the page and select “Remove Card” to wipe it from your phone.
Screenshots by Zach Laidlaw/Apple Wallet on iOS 26
Since this bug has existed for half a decade, chances that Apple will patch it any time soon are slim. However, MKBHD is highly respected in the tech community, and his new high-profile coverage of the exploit may be enough to get Apple’s attention for a future fix.
Until then, you can keep yourself safe simply by tweaking your default card settings or removing your cards altogether.
Read the full article here
