🤖 AI Summary
Overview
This episode explores the vulnerabilities of Tap to Pay systems, demonstrating how a sophisticated hack can bypass security measures to steal money from locked iPhones. Using a combination of cybersecurity techniques, the team reveals how Express Transit Mode and Visa's verification process create a loophole that allows unauthorized high-value transactions.
Notable Quotes
- I never unlock my phone. I never put in a password. I never did what I would normally do to verify a transaction on my phone. It just happened to be on top of that.
- Marques Brownlee, on the unsettling ease of the hack.
- Imagine waking up to see $10,000 gone from your account. Even if the refund does come, the stress before is gonna be very real.
- Henry van Dyck, on the real-world implications of this vulnerability.
- You can stop it by turning transit mode off—or not have a Visa card in transit mode on an Apple.
- Professor Ioana Boureanu, offering a practical solution to prevent the hack.
🪄 Demonstrating the Hack
- Henry van Dyck and Marques Brownlee test whether $10,000 can be stolen from a locked iPhone using Tap to Pay.
- The hack exploits Express Transit Mode, allowing transactions without unlocking the phone.
- A man-in-the-middle attack intercepts and modifies transaction data to bypass security layers.
🔐 How the Hack Works
- The hack uses a Proxmark NFC device to mimic a transit terminal, tricking the phone into initiating payments.
- Three lies are told to bypass security:
- Fooling the phone into thinking it’s interacting with a transit terminal.
- Labeling high-value transactions as low-value to avoid customer verification.
- Convincing the reader that customer verification has occurred.
- Visa’s lack of asymmetric cryptography checks in certain scenarios enables the hack.
🚇 The Role of Express Transit Mode
- Apple’s Express Transit Mode allows payments without unlocking the phone for convenience in public transit.
- Hackers abuse this feature by mimicking transit terminals to initiate unauthorized transactions.
- The vulnerability is specific to iPhones with Visa cards in transit mode.
💳 Visa’s Security Loophole
- Unlike MasterCard, Visa doesn’t always require asymmetric cryptography between the card and reader, leaving transaction data vulnerable to tampering.
- Visa argues the hack is unlikely to scale in real-world scenarios and emphasizes its zero liability policy for cardholders.
- Critics, including Henry van Dyck, question why Visa hasn’t implemented technical changes to eliminate the vulnerability entirely.
🛡️ Preventing the Hack
- Practical advice includes disabling Express Transit Mode or avoiding Visa cards in transit mode on iPhones.
- Apple and Visa have been aware of the vulnerability since 2021 but have not made significant changes to address it.
- The episode highlights the importance of proactive security measures over reactive refund policies.
AI-generated content may not be accurate or complete and should not be relied upon as a sole source of truth.
📋 Video Description
How we hacked MKBHD! Sponsored by Incogni - Use code veritasium at https://incogni.com/veritasium to get an exclusive 60% off.
If you’re looking for a molecular modelling kit, try Snatoms, a kit I invented where the atoms snap together magnetically - https://ve42.co/SnatomsV
Sign up for the Veritasium newsletter for weekly science updates - https://ve42.co/Newsletter
▀▀▀
0:00 Stealing $10,000 From MKBHD
4:04 How The Hack Works
8:29 High Value vs Low Value Transactions
10:18 Tricking The Card Reader
14:20 Transit Mode
15:22 Why does this hack only work with Visa?
17:10 How does RSA encryption work?
20:13 How can you prevent this hack?
21:59 What are Visa doing about it?
▀▀▀
A huge thank you to professors Ioana Boureanu from the University of Surrey and Tom Chothia from the University of Birmingham, for supporting us with the execution and the explanation of the hack. This video would not have been possible without their support. A big thanks, too, to the University of Surrey for hosting us.
And a shout out to Dr Andreea-Ina Radu who, as a researcher at the University of Birmingham on the “TimeTrust project" (2019-2023), actually went to the London Underground to collect the initial data that made this hack possible in the first place!
And a massive thank you to @mkbhd and his team for agreeing to be our victim for this hack, and for being such a good sport!
▀▀▀
References: https://ve42.co/MKBHDHackRefs
▀▀▀
Special thanks to our Patreon supporters: Adam Foreman, Albert Wenger, Alex Porter, Alexander Tamas, André Powell, Anton Ragin, armedtoe, Bertrand Serlet, Blake Byers, Bruce, Cartier, Charles Ian Norman Venn, Chris Brewer, Daniel Martins, Data Don, Dave Kircher, David Johnston, David Tseng, EJ Alexandra, Evgeny Skvortsov, Garrett Mueller, Gnare, gpoly, Hayden Christensen, Hong Thai Le, Ibby Hadeed, Jeromy Johnson, Jesse Brandsoy, Juan Benet, Kelcey Steele, KeyWestr, Kyi, Lee Redden, Marinus Kuivenhoven, Mark Heising, Martin Paull, Meekay, meg noah, Michael Krugman, Moebiusol - Cristian, Orlando Bassotto, Parsee Health, Paul Peijzel, Richard Sundvall, Robson, Sam Lutfi, Shalva Bukia, Sinan Taifour, Tj Steyn, Ubiquity Ventures, Vahe Andonians, William Yoon, wolfee
▀▀▀
Writers: James Moore, Henry van Dyck & Gregor Čavlović
Producer & Director: James Moore
Presenter: Henry van Dyck
Editor: Peter Nelson
Animators: Emma Wright, Domonkos Józsa, Fabio Albertelli & Andrew Neet
Assistant Editor and Sound Designer: James Stuart
Researchers: Aakash Singh Bagga & Sophia Rose
Camera Operators: Andrew Abballe, Henry van Dyck & Andy Perez
Thumbnail Designers: Abdallah Rabah, Ren Hurley & Ben Powell
Production Team: Jess Bishop-Laggett, Matthew Cavanagh, Anna Milkovic & Sulli Yost
Executive Producers: Derek Muller, Gregor Čavlović & Casper Mebius
Additional video/photos supplied by Getty Images & Storyblocks
Music from Epidemic Sound