Deep Dive
The Live Heist: $5 Then $10,000
Derek opens by attempting a small $5 charge on MKBHD's locked iPhone using a seemingly normal payment terminal. The phone approves it instantly without requiring any unlock, PIN, fingerprint, or facial recognition—just a brief tap. MKBHD hears the notification and sees the charge appear in real-time. When Derek explains they're attempting a larger amount, MKBHD expresses skepticism that $10,000 would go through, noting his bank would flag such an unusual purchase. But Derek proceeds anyway. The locked iPhone gets tapped to the device again, and moments later another approval—this time for $10,000. MKBHD's skepticism turns to alarm as he realizes the transaction cleared, receipt printed, and money left his account. The whole premise collapses his confidence in mobile payment security.
How the Attack Works: Three Layers, Three Lies
Derek explains they're executing a man-in-the-middle attack developed by cybersecurity professors Ioana Boureanu and Tom Chothia at the University of Surrey. The hack intercepts communication between the phone and the reader using an NFC device called the Proxmark, runs the intercepted data through a Python script on a laptop to modify it, then relays it through a burner phone to the actual card reader. Both the original phone and the reader think they're talking directly, but all traffic routes through the attack chain. The first lie tricks the iPhone into Express Transit Mode—a feature Apple created so subway riders don't need to unlock their phones to pay. The attackers broadcast the same code that a London Underground gate sends to fool the phone into thinking it's at a transit terminal. The second lie involves flipping a single bit in the transaction data from 1 to 0, making the phone believe a $10,000 charge is a low-value transit fare that doesn't need customer verification. The third lie changes a bit in the phone's response to the reader, falsely claiming the customer verified the payment—when in reality no verification occurred.
Why iPhones Are Vulnerable: Design Flaw in Express Transit Mode
iPhones handle Express Transit Mode by relying on a single bit label from the reader to determine whether a transaction is high-value or low-value, rather than checking the actual numerical amount. This design choice exists because payment limits vary by country and currency, so a flexible bit-based system lets banks adjust thresholds without reissuing cards. In contrast, Samsung phones in transit mode check the actual transaction amount and only accept $0 charges, leaving the transport provider to bill you later. If a Samsung phone saw a $10,000 transit request, it would reject it immediately. Apple's system creates an asymmetry: an attacker can intercept the reader's message and flip that single bit to lie about the value classification. The iPhone, having no other reference point for the transaction size, accepts the lie. MasterCard avoids this vulnerability by requiring an additional layer of asymmetric cryptography—a digital signature that would break if any transaction data is tampered with. But Visa only requires this signature in certain situations, particularly when the reader is offline. During the attack, the reader stays online, so it never bothers checking the signature that would expose the tampered bits.
Why Visa Hasn't Fixed It: Statistics Over Security
Derek contacted both Apple and Visa about the vulnerability. Apple responded that it's 'a concern with the Visa system' and pointed to Visa's zero-liability fraud policy to protect cardholders. Visa's position is blunt: in-person card fraud costs only 2 cents per $100 in transactions, making it statistically insignificant. A company representative told Derek that this kind of attack is unlikely to scale in the real world and that even when successful, cardholders can dispute and recover funds. Visa argues they have network-level defenses in place that make this specific vulnerability isolated, and that you can never completely eradicate fraud—only minimize it to acceptable levels. When Derek pushes back, asking why Visa doesn't just implement a technical fix to make the attack impossible rather than just improbable, Visa doubles down on the statistical argument: detecting fraud is more important than preventing this particular type, and the refund policy is sufficient. Derek analogizes this to airline safety—airlines don't accept a few crashes per year as an inevitable cost; they meticulously investigate and eliminate each hazard. He questions whether a refund-after-the-fact approach is adequate when $10,000 vanishing from someone's account could mean missed rent or medical bills, even if the money eventually returns.
Workarounds and Reality Check
The simplest fix for users is to disable Express Transit Mode on iPhones or remove Visa cards from the transit slot, since the hack requires that specific combination—iPhone plus Visa in Express Transit Mode. However, Express Transit Mode enables by default whenever a suitable card is added to Apple Wallet. Derek notes that disabling it is unintuitive for most users who don't realize the setting exists or understand why it matters. The attack also requires physical proximity; the attacker needs the phone to be tapped against their NFC device, then transferred to the actual reader. In a real-world scenario, a thief with a stolen iPhone would be the highest-risk case, as they'd have direct access to execute the attack repeatedly without the original owner knowing. Derek also demonstrates the attack on himself and the Veritasium CFO, showing it's reliably reproducible and not a one-off anomaly. Despite the technical sophistication of the attack itself, the core vulnerability—unencrypted, single-bit transaction classification—has existed since 2021 without a fix, suggesting neither Apple nor Visa views the liability risk as sufficient to justify engineering effort.