Security researchers have discovered a new loophole in the Apple Pay mechanism that may leave iPhone users at risk of being robbed. Worryingly, the theft is completely wireless, so the victim may not realize they have been robbed until hours or days later.

Apple Pay is regarded as one of the most secure contactless payment methods in use today. So it is extremely unusual to hear of a vulnerability like this.

How the Apple Pay hack works

The Apple Pay hack works by fooling the victim’s iPhone into thinking it is near a contactless ticket barrier like those found on metro systems in most major cities. Using a small radio device, the iPhone is tricked into activating the ‘Express Transit’ feature of Apple Pay.

The radio device is connected to another mobile phone which then relays the payment to a card terminal. The card terminal triggers a debit payment, which deducts money – up to £1000 – from the victim’s payment card in Apple Pay.

Express Transit is designed to make it quick and simple for travelers to pass through payment gates. They can simply tap their phone on the card reader to complete an automated payment – there is no need to unlock their iPhone, enter a PIN number or to confirm the amount being paid. The entire process is ‘silent’, so the victim doesn’t realize what has happened.

In theory, a hacker could stand in a crowded place and trigger hundreds of fraudulent payments every hour using this technique.

Download Panda Mobile Security

Just a proof-of-concept hack. For now

The good news is that this hack does not appear to have been used by criminals yet. The loophole has been discovered by security researchers who are trying to find – and fix – problems before they can be abused.

The loophole also only affects Visa cards that have been configured for use with Express Transit. MasterCard and American Express card users cannot be ‘tricked’ using this hack.

The researchers have not yet confirmed whether this hack also affects the Apple Watch which also has an Express Transit payment feature.

How to protect yourself

Although the Apple Pay hack has not yet been copied by criminals, it is highly likely that they will try something similar in the future. Fortunately, there two ways you can protect yourself now:

  • Change your Express Transit settings, choosing a non-Visa card.
  • If you don’t use it, choose ‘None’ in your Express Travel Card settings (you will find it in the ‘Wallet & Apple Pay’ settings on your iPhone.

Disabling Express Transit will not stop you using your iPhone to pay for travel either – you will just need to make sure you use FaceID or TouchID to activate your wallet as you approach the ticket barrier.

It may also be worth applying these changes to your Apple Watch, just in case they are vulnerable to the hack too.