Video Summary
A proxmark-based man-in-the-middle can intercept and modify NFC communication between a locked iPhone and a payment terminal.
Attackers spoof transit mode and flip a specific transaction bit so the phone treats a high-value charge as a low-value (no-auth) transaction.
Visa's protocol choices make certain card/phone combinations vulnerable; Mastercard's asymmetric checks are more resistant.
Victims typically can dispute fraudulent charges (zero liability), but refunds don't remove the immediate stress and exposure risk.
Mitigations include disabling Express/Transit modes, using cards with stricter cryptography, and vendor-side protocol fixes.
By inserting a proxmark-based man-in-the-middle between the phone and reader, intercepting NFC data, spoofing transit (Express) mode, and flipping a specific transaction bit so the phone treats a high-value charge as a low-value no-auth transaction; the attacker then alters the reader-facing response to indicate 'user-
Express/Transit mode is designed to allow payments without unlocking the phone for fast transit gates. The exploit makes the phone believe it's in a transit interaction, removing the usual lockscreen/authentication barrier and enabling authorization without user unlock.
Mastercard implementations consistently require asymmetric cryptographic verification between card and reader, which detects tampering. Visa's flows sometimes rely on symmetric checks or skip asymmetric verification in transit/offline scenarios, making certain Visa card/phone combinations vulnerable.
Yes — payment providers like Visa point to zero liability and dispute processes, so unauthorized charges are typically refundable. However, refunds don't prevent the immediate loss of funds or the stress and inconvenience caused.
Disable Express/Transit mode for your card in your phone wallet when not needed, use cards/providers that enforce asymmetric verification, keep devices updated, and merchants/banks should patch protocol implementations to require stronger on‑reader signature checks.
"I'm here with MKBHD, and we're gonna try to steal $10,000 from his locked iPhone."
The video begins with a challenge to see if they can steal $10,000 from a locked iPhone using a payment terminal. MKBHD places his phone on the device without unlocking it.
They decide to start with a small amount of $5 to test the process and gauge whether it’s possible to extract money from the phone.
When the test is executed, a transaction is approved for $5 without the phone being unlocked, raising concerns about the security of contactless payment methods.
"Well, we teamed up with two cybersecurity experts who ran us through a unique hack that they developed to bypass the phone's lock screen."
The hosts collaborate with cybersecurity experts to understand the mechanism behind the hack, which allows funds to be drained from a locked phone's mobile wallet.
They explain that the hack exploits a known issue that has been public since 2021, meaning the potential for this type of theft has existed for several years without a fix.
The key to the hack lies in intercepting and manipulating the communication between the phone and the payment reader, allowing unauthorized transactions.
"Whenever you use Tap to Pay, your phone and the reader exchange information about the transaction."
The interaction between a phone and a contactless card reader involves the exchange of data about the transaction. This data can be intercepted and potentially altered.
They employ a device called Proxmark which mimics a card reader to communicate with MKBHD's phone. The proxmark sends transaction data to a laptop, where it is modified using a script.
The modified data is then sent to a burner phone, which is tapped on the payment terminal, creating the illusion that both the phone and the reader are communicating directly.
"To actually steal money using this attack, you have to get past three layers of defense on both systems."
Successfully executing the hack requires overcoming multiple layers of security. The first challenge is that the phone must be unlocked for standard transactions, but they exploit a feature called Express Transit Mode.
This feature allows transactions to be completed without unlocking the phone, which they discovered through reverse engineering during tests on public transport systems.
They then manipulate transaction data to make it appear as though a transit transaction is being performed, thus bypassing the first security layer.
"For us to get this $10,000 payment through without customer verification, we need to trick the phone into thinking that $10,000 is a low-value transaction."
The second layer of defense involves customer verification for high-value transactions. They reveal that the phone does not determine the transaction's value based on the number but rather relies on other factors.
By modifying the necessary parameters, they can make the iPhone believe that a significant amount, such as $10,000, is classified as a low-value transaction, allowing the payment to go through without additional authentication.
This manipulation exploits vulnerabilities within the transaction verification process, enabling the potential for high-value thefts without user consent.
"All we need to do is intercept the message from the reader, flip that bit to a zero, and then the phone will believe that this transaction is low value even though it's for $10,000."
In transaction data, a binary representation is used where '1' signifies a high value and '0' signifies a low value. This binary system adapts to variations based on the country and currency involved.
By flipping a specific bit in the transaction data, it is possible to trick an iPhone into believing that a high-value transaction of $10,000 is actually low value, which allows it to authorize the transaction without customer verification.
The first steps in this process involve bypassing the need to unlock the phone and manipulating it to authorize high-value transactions without proper verification, making the phone believe the transaction is secure.
"Now we need to trick the reader into thinking that the customer has verified the payment."
After the phone is convinced to authorize the transaction, the next part of the hack requires deceiving the card reader into believing that customer verification has happened.
This involves intercepting the information sent from the phone to the reader and modifying the part of the response that indicates verification status. By changing the indication from 'not verified' to 'verified', the reader proceeds with the transaction, sending it for bank authorization.
This manipulation allows the bank to see a verified transaction, thus authorizing the payment based on incorrect information fed into the system.
"The way the phone and reader communicate has to be compatible with thousands of different devices, which would be impossible to update all in one go."
The data in transactions is typically not encrypted to allow compatibility across various devices, making it easier for potential attacks like this.
Although procedures exist to prevent attacks, specific combinations of phones and payment cards can create vulnerabilities that can be exploited.
For example, the hack requires using a specific type of iPhone and a specific card that together create a loophole in the transaction verification process.
"First, the phone has to be an iPhone."
The hack's success relies on using an iPhone because it processes transaction verification differently than other devices. While the iPhone relies on a low/high label, other phones, like Samsung, use actual transaction amounts to prevent overcharging.
Additionally, the type of card utilized plays a crucial role. The security measures differ between card companies, with Visa’s process allowing for vulnerabilities that MasterCard’s security avoids due to its additional layer of asymmetric cryptography.
In Visa’s system, the verification relies on symmetric cryptography, while MasterCard incorporates asymmetric cryptography, which provides an added layer of verification between the card and the reader, preventing unauthorized transactions.
"This is based on a type of cryptography called RSA."
The security of card transactions relies on RSA cryptography, which allows readers to verify the card signature without needing to know its private number. This mechanism significantly enhances security by making it virtually impossible to reverse-engineer the card's private key due to the large numbers involved.
Even a single digit change in the transaction data can lead to a completely different output when the reader checks the signature. Hence, if the data is modified, the transaction will be invalidated since the reader expects a valid signature for a high-value retail transaction.
"While MasterCard always requires this asymmetric verification, Visa doesn't."
Unlike MasterCard, which consistently requires asymmetric verification to detect unauthorized transactions, Visa's system only mandates such verification in specific scenarios, such as when the reader is offline.
When using Visa in offline scenarios, for instance, when underground with no signal, the reader cannot communicate with the bank, which can potentially create vulnerabilities if the system is hacked online during a transit transaction.
"We've tricked the phone into thinking it's interacting with the transit reader."
The attack exploits the situation in which the phone is manipulated to believe it is conducting a transit transaction. During this operation, the phone mistakenly believes it is operating with a transit reader when, in reality, the reader remains online and does not validate the signature sent by the phone.
Even though the phone sends its signature, the reader’s reliance on the first layer of security with the bank means it skips the essential asymmetric signature check, which would normally uncover the fraudulent activity.
“Visa does not believe this kind of fraud is likely to take place in the real world.”
In response to inquiries about the vulnerability, Visa maintains that while this specific issue exists, it is not expected to occur frequently in practical applications and has reassured cardholders that they are protected under their zero liability policy.
This perspective emphasizes that even if such fraud occurs, consumers are able to dispute the transaction and receive their funds back, suggesting that the current measures taken to defend against this hack have been deemed effective at a network level.
"Imagine waking up to see $10,000 gone from your account."
The psychological impact of discovering substantial unauthorized payments can be severe, regardless of the eventual outcome through refunds or disputes. The stress incurred before the resolution is highlighted, raising questions about whether reliance on post-fraud refunds is sufficient.
The discussion points towards a broader expectation that financial systems, especially those that deeply affect daily life, should strive for higher standards of security to prevent such incidents altogether.
