CYBERSECURITY · PAYMENT SECURITY · OPINION

Apple and Visa both know about a flaw that lets attackers drain your locked iPhone. Years later, it's still unfixed. I've seen this movie before.

A few years ago, I was part of a multi-vendor telecom project. My company owned the software. A third party owned the hardware and firmware. On paper, the security responsibilities were clear. In reality, nobody had checked.

During a preliminary audit, we found it: a security control on the hardware side that both parties had assumed the other was handling. It wasn't a minor gap. It was a complete blind spot — sitting at the exact boundary where our systems met theirs.

Neither team had documented it. Neither team had flagged it. It had been open for 53 days.

Getting it fixed required putting both parties in the same room. The conversation was contentious. Eventually, the third party accepted ownership and closed the gap. But here's what stayed with me: the vulnerability didn't exist because someone was incompetent. It existed because two organizations, each managing their own risk, had both assumed someone else was managing the boundary.

When I watched Veritasium's recent video demonstrating how $10,000 was drained from a locked iPhone using Apple Pay and a Visa card, I didn't think about the technical exploit. I thought about that room. And I realized: Apple and Visa have never had that conversation. Or if they have, nobody blinked.

What the Attack Actually Does

The vulnerability affects iPhone users who have a Visa card configured in Apple Pay's Express Transit Mode — the feature that lets you tap to pay at a subway barrier without unlocking your phone. Convenient. Intentional. And, as it turns out, exploitable.

Researchers from the University of Birmingham and University of Surrey found that transit gates broadcast a unique code — called 'Magic Bytes' — to unlock Apple Pay for a contactless transaction. An attacker with a commercially available NFC device can replay those bytes to your iPhone, convincing it that it's standing in front of a legitimate transit reader.

At the same time, the attacker modifies the communication to an EMV payment terminal — tricking it into believing your iPhone has already authenticated the user. The result: a payment of any amount, from your locked phone, to an attacker-controlled terminal, with no Face ID, no Touch ID, no PIN.

The contactless transaction limit — the one most people assume protects them — is bypassed entirely. The research demonstrated successful payments up to £1,000 in lab conditions. Veritasium's demonstration went further.

Both Apple and Visa were informed. Apple in October 2020. Visa in May 2021. Both acknowledged the severity. Neither has implemented a fix.

"Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely." — Dr. Andreea Radu, University of Birmingham

What Most People Get Wrong

When this story circulates, the conversation almost always goes to the wrong place.

  • First wrong assumption: this is an Apple problem. It isn't — not entirely. The same attack doesn't work with Mastercard on Apple Pay. It doesn't work with Visa on Samsung Pay. The vulnerability lives at the intersection of Apple's Express Transit implementation and Visa's EMV transaction authorization logic. Neither party created it alone, and neither can fix it alone.
  • Second wrong assumption: if it hasn't happened in the wild, it's not a real threat. This logic consistently underestimates how quickly academic proof-of-concept research gets operationalized once it's public. The attack is now on YouTube, demonstrated at scale, with off-the-shelf hardware. The question isn't whether someone will try it. The question is whether it has already been tried and simply not attributed.
  • Third wrong assumption — and this is the one that concerns me most: the fix is technical. A patch, a protocol update, a firmware change. But the research team has been waiting years for that patch. The reason it hasn't arrived isn't engineering capacity. It's accountability.

The Real Problem: Nobody Owns the Boundary

In more than a decade of cybersecurity work, I've observed a consistent pattern: single-vendor vulnerabilities get fixed in weeks. Cross-vendor vulnerabilities sit for quarters — sometimes indefinitely.

It's not because organizations don't care. It's because accountability frameworks — contracts, SLAs, security review processes — are almost never designed with the boundary in mind.

I've sat in multiple vendor contract and SLA negotiations throughout my career. Security controls, data handling, and incident response timelines — all covered. Cross-boundary vulnerability ownership has never once appeared in the contract. Not once. The assumption is always that if a problem crosses systems, the two parties will figure it out. What actually happens is what you're watching play out between Apple and Visa right now.

Each party points at the other. Apple says Visa's authorization logic is at fault. Visa notes that the same problem doesn't exist with Visa on Samsung Pay, implying the issue is with Apple's implementation. Both statements can be simultaneously true. Neither resolves the vulnerability.

This is what a governance failure looks like from the inside. Not malice. Not incompetence. Just two organizations, each managing their own perimeter, with nobody chartered to manage the space between them.

Single-vendor vulnerabilities get fixed in weeks. Cross-vendor vulnerabilities sit for quarters — or indefinitely. The difference isn't engineering. It's accountability.

The Security-Usability Tradeoff Has a Price Tag

Express Transit Mode exists for a good reason. Fumbling with Face ID at a busy subway barrier creates queues. It creates friction. The feature removes that friction deliberately, and for most users in most moments, the tradeoff is invisible.

But every time we remove friction for the user, we create a new surface for the attacker. This isn't a new observation — it's one of the oldest tensions in security design. What's new is that we increasingly build these tradeoffs into products jointly, across organizational boundaries, where no single party is accountable for the consequences.

The researchers behind this work proposed a technical solution: an EMV relay-resistant protocol that would preserve the usability of Express Transit while closing the attack vector. It exists. It has been documented. It has not been implemented.

The barrier isn't technical. It's that implementing it requires both Apple and Visa to agree, coordinate, and share the cost of a fix for a vulnerability that neither fully owns. In the absence of regulatory pressure or a high-profile incident, that conversation has no forcing function.

What You Can Do Right Now

Before you think I'm an Android evangelist — I'm not. I use an iPhone. Which is exactly why this bothers me.

While the governance conversation continues, here are four things worth acting on:

  • Check your Apple Pay setup. If you have a Visa card configured in Express Transit Mode, disable it. You can still use Apple Pay for transit — just with authentication required. That one step closes this attack vector entirely.
  • Change your procurement question. If your organization deploys systems that integrate with third-party hardware or platforms, start asking: "If a vulnerability lives at the boundary between your system and another vendor's, who owns the fix?" The answer will tell you everything about how seriously they've thought about it.
  • Stop using brand names as security proxies. "Apple" and "Visa" together still produced a multi-year unpatched vulnerability sitting in public view. Brand reputation is a signal, not a guarantee. Evaluate the architecture, not the logo.
  • Recognize the dollar value of the tradeoff. The security-usability tradeoff isn't abstract. Someone always pays it. In this case, that someone could be you, standing on a platform, with a phone in your pocket and no idea that a transaction just occurred.

The Conversation That Needs to Happen

In my telecom project, we eventually got both parties in the room. It was uncomfortable. It took a forced escalation. But we closed the gap in 53 days.

Apple and Visa have had years. The research team disclosed in 2020. The paper was presented at the IEEE Symposium on Security and Privacy in 2022. Veritasium put it on YouTube for millions of people to see. And the vulnerability remains open.

The technical fix exists. What's missing is the forcing function — someone, somewhere, with enough leverage to put both parties in the same room and make one of them blink. Until that happens, the boundary between Apple's software and Visa's authorization logic remains ungoverned. And ungoverned boundaries, in my experience, are where attackers live.

This isn't just an Apple Pay problem. It's a preview of every complex, multi-vendor, convenience-first system we're building right now. The payment ecosystem, the connected car, the smart building, the industrial IoT deployment — all of them have boundaries. Almost none of those boundaries have owners.

We need to start building accountability for the space between systems. Not just the systems themselves.

If this resonated, follow me on Medium for more practitioner-first writing on cybersecurity, AI, and the systems thinking that connects them. Connect with me on LinkedIn.

Have you ever been in a vendor negotiation where cross-boundary vulnerability ownership actually appeared in the contract? I'd genuinely like to know — it would be the first time I've heard of it.