It turns out that granting Timur Yunosov control of my iPhone was not the best decision. He is a Russian cybersecurity researcher who specializes in exploiting payment processor vulnerabilities. Yunosov tapped the locked device onto the terminal to drain my already empty bank account in minutes, taking it into an overdraft.
Soon after Yunosov showed off the hacks, he returned the money and exposed long-known, still unsolved vulnerabilities in Apple Pay. This feature lets people pay for transport services like the London Underground or New York subway with only a quick tap.
With a stolen Samsung phone using the tap-and-go feature, he could take it home and drain its funds without having to unlock it. The approach is not the same as his Apple hack, which could work in a retail store with a 'man-in-the-middle' device. It still poses a threat to anyone who loses their Samsung device to a technically inclined crook.
There are a few obvious caveats. Hacks can only be performed if the attacker has physical access to the phone. According to Yunosov, MasterCard and Google have taken some steps to address the problem, but the hacks only work in places where Visa cards are the default for mobile payments. The threat is real and will continue to grow, Yunosov said. To protect yourself, turn off the transport feature.