Apple devices that have Apple Pay or Apple Wallets, such as iPhones, also have a so-called “Express Transit” or “Transit” mode of this digital wallet. In this mode, the devices can make a contactless payments through a locked screen, without user identification such as fingerprint or FaceID (which is not true of contactless payments, otherwise). This mode is used when the Apple devices transacts with a contactless-payment reader that is registered to a transport-related merchant, e.g., a train/bus company. The idea is that passing through train/underground/metro barriers, payers need to act quickly and would pay without unlocking the device or authenticating inside the Apple Wallet, for convenience. Of course, it is the duty of the digital wallets’ and cards’ providers (e.g., Apple, Google, Visa, Mastercard) to make sure that such payments in Transit mode remain secure. Apple has created its own way of attempting to detect Transit mode.

The essence.

---

In 2022, we showed that the Apple lock-screen can be bypassed for any iPhone with a Visa card set up in Transit mode. The restrictions around the so-called "contactless limit" (e.g., GBP 100 in the UK, in 2023), above which payer authentication is required, can also be bypassed, allowing unlimited contactless payments from a locked iPhone, without payer identification.

Skill.

---

This is an easy-to-mount attack, that a script-kiddy could do. An attacker only needs a powered on iPhone, on them or even inside someones bag, without their knowledge. The attacker needs no assistance from the merchant and backend fraud detection checks have not stopped any of our test payments.

Reasons.

---

This attack is made possible by a combination of flaws in both Apple Pay and Visa’s system. It does not, for instance, affect Mastercard on Apple Pay, or Visa on Samsung Pay.

Methodology.

---

Our work includes a practical side and the code is available [here](https://gitlab.com/relays/). It also includes formal/mathematical modelling (see [here](https://gitlab.com/practical_emv/tamarin-models)); this shows that either Apple or Visa could mitigate this attack on their own.

Disclosure.

---

We informed them both months in advance of publishing, but neither have fixed their system, and the vulnerability remains live in 2024.

Recommendation.

---

We recommend that all iPhone users check that they do not have a Visa card set up in transit mode, and if they do they should disable it.

Further reading.

---

More can be read at ["Practical EMV Relay Protection"](https://ieeexplore.ieee.org/abstract/document/9833642) by Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu and Liqun Chen, published at 2022 IEEE Symposium on Security and Privacy (SP)