Proxmark3 enables $10k Apple Pay exploit

// 2h agoSECURITY INCIDENT

Proxmark3 enables $10k Apple Pay exploit

A recent demonstration reveals how the Proxmark3 RFID research tool can be used to execute a sophisticated man-in-the-middle relay attack on Apple Pay. By spoofing "Express Transit" signals, attackers can trick locked iPhones into authorizing high-value transactions—up to $10,000—without user biometrics or passcodes, specifically targeting vulnerabilities in the Visa payment protocol.

// ANALYSIS

This exploit isn't just a bug; it's a structural failure where the desire for seamless transit UX has trumped fundamental security handshake protocols.

–The attack relies on "bit-flipping" the Card Transaction Qualifiers (CTQ) header to misidentify a retail terminal as a low-value transit gate.
–While Mastercard utilizes asymmetric RSA cryptography to verify headers, Visa's protocol lacks this safeguard in certain offline-capable environments.
–Proxmark3 serves as the essential hardware bridge, acting as a programmable NFC relay between the target phone and a rogue terminal emulator.
–Apple and Visa have both deflected responsibility, citing "industrial legacy" and "zero liability" rather than overhauling the global transit infrastructure.
–Developers should view this as a cautionary tale on the risks of allowing "trusted" shortcuts that bypass multi-factor authentication.

// TAGS

proxmark3apple-paysecuritynfcrfidexploitopen-sourcedevtool

DISCOVERED

2h ago

2026-05-13

PUBLISHED

2h ago

2026-05-13

RELEVANCE

7/ 10

AUTHOR

Better Stack

// KEEP READING

More AI developer news from the feed

EXPLORE FULL FEED

VIDEO2h ago

Claude Code automates repo-wide engineering tasks

Anthropic’s agentic CLI tool enables autonomous codebase research, multi-file refactoring, and test execution directly from the terminal. It represents a shift from passive autocomplete toward proactive "second brain" agents capable of handling complex engineering workflows.

OPEN SOURCE2h ago

Claudesidian turns Obsidian vaults into AI thinking partners

Claudesidian is an open-source framework that integrates Anthropic's Claude Code with Obsidian to transform static notes into an interactive knowledge base. By treating a vault as a codebase, it enables AI-driven research, automated organization via PARA, and Socratic-style thinking workflows.

SECURITY2h ago

Apple Pay Express Transit flaw enables $10k theft

A critical vulnerability in Apple Pay’s Express Transit mode for Visa cards allows attackers to bypass lock screens and authorize high-value transactions. Despite a high-profile demonstration by Veritasium and a recent May 2026 security patch, Apple and Visa have yet to issue a fix.