Back to all videos

How Secure Is Tap To Pay?

By Veritasium

Mobile Payment SecurityNFC TechnologyCybersecurity VulnerabilitiesFinancial Fraud
Share:

Key Concepts

  • Man-in-the-Middle (MitM) Attack: A cyberattack where the perpetrator secretly intercepts and relays messages between two parties who believe they are communicating directly.
  • NFC (Near Field Communication): The short-range wireless technology used for contactless payments.
  • Express Transit Mode: An Apple feature allowing transit payments without unlocking the device or using FaceID/TouchID.
  • Proxmark: A specialized hardware device used for RFID/NFC research, capable of cloning and manipulating wireless signals.
  • Symmetric vs. Asymmetric Cryptography: Symmetric uses the same key for encryption/decryption; Asymmetric uses a public/private key pair for enhanced security.
  • Visa/Mastercard Protocol Differences: The core vulnerability relies on how Visa handles transaction verification compared to Mastercard’s more stringent requirements.

1. The Vulnerability: Bypassing Security

The video demonstrates a sophisticated "Man-in-the-Middle" attack that allows an attacker to drain funds from a locked iPhone. By placing a locked iPhone on a malicious NFC reader, the attackers can bypass the need for biometric authentication (FaceID/TouchID) and extract large sums of money.

The Three-Step "Lie" Framework: To successfully execute the theft, the attackers must manipulate three specific data points in the NFC communication:

  1. The Transit Lie: Using a Proxmark to broadcast a signal that mimics a transit terminal, the attacker tricks the iPhone into entering "Express Transit Mode," which bypasses the lock screen.
  2. The Value Lie: The attacker intercepts the transaction data and flips a single bit from "High Value" to "Low Value." This prevents the phone from triggering a request for a PIN or biometric verification, even for large amounts like $10,000.
  3. The Verification Lie: The attacker intercepts the phone's response to the reader and flips a bit to falsely signal that the transaction was verified by the user, tricking the payment terminal into approving the charge.

2. Technical Requirements for the Hack

The attack is not universal; it requires a specific combination of hardware and software:

  • Device: Must be an iPhone. Android devices (specifically Samsung) are noted to be immune because they check the actual numerical value of a transaction rather than relying on a "Low Value" label from the reader.
  • Card Network: Must be a Visa card. Mastercard is immune because it mandates asymmetric cryptography (digital signatures) for all transactions. This signature process would detect that the transaction data was tampered with, causing the reader to reject the payment. Visa, however, does not always require this signature check when the reader is online.

3. Real-World Implications and Perspectives

  • The "Controlled Setting" Argument: Visa and Apple maintain that this vulnerability is highly unlikely to occur in the real world due to the complexity of the setup and the requirement for the victim to be in close proximity to the attacker's equipment.
  • Zero Liability Policy: Visa emphasizes that consumers are protected by their "zero liability" policy, meaning fraudulent charges can be disputed and refunded.
  • The "Aviation" Analogy: The presenter argues that while the risk is statistically low (similar to plane crashes), the industry should strive for total elimination of the vulnerability rather than relying on post-incident refunds, which cause significant consumer stress.

4. Notable Quotes

  • "The only limit is how much someone has in their bank account." — Regarding the potential financial damage of the exploit.
  • "We've tricked the phone into thinking it's interacting with the transit reader... the reader doesn't check [the signature] because in reality, the reader is online." — Explaining the failure of the security protocol.
  • "Airlines don't accept a small number of crashes each year as an inevitable cost of doing business... should we expect better?" — Challenging the industry's passive stance on the vulnerability.

5. Synthesis and Conclusion

The demonstration highlights a critical intersection of convenience and security. By leveraging the "Express Transit" feature—designed to speed up subway commutes—attackers can exploit unencrypted NFC communication to bypass standard payment protections. While the attack requires specific hardware and a Visa/iPhone combination, it exposes a fundamental flaw in how transaction data is verified. The main takeaway is that while financial institutions offer refunds, the underlying technical vulnerability remains unpatched, leaving users reliant on the hope that such sophisticated attacks remain rare. Users are advised to disable "Express Transit" mode if they are concerned about this specific risk.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "How Secure Is Tap To Pay?". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video