Apple Pay for the iPhone and Apple Watch has a feature called Express Transit which lets riders on metro systems quickly pay at ticket barriers without the need to unlock their phone. The idea is that as you’re whisking through the barrier you can quickly tap your phone on an NFC-enabled turnstile and go on your way, without finicking with Face ID. Some major U.S. cities including New York have begun deploying these newer turnstiles.
Express Transit is only supposed to work at ticket barriers, but researchers have claimed they found a way it can be exploited to make payments anywhere, theoretically allowing someone in possession of a stolen iPhone to use any credit cards stored on the device.
Visa has come out and refuted the claim, telling TechRadar in a statement that the attack cannot easily be replicated outside of a research lab because it’s so impractical. "Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence," Visa told TechRadar Pro.
Complicated — Based on a description of the hack, Visa is probably right. The exploit requires a small piece of radio equipment, which is placed near the iPhone to trick it into believing it is dealing with a ticket barrier. At the same time, an Android phone running a custom app is used to relay signals from the iPhone to any contactless payment terminal. Since the iPhone thinks it’s paying a ticket barrier, it will do so while remaining locked. The Android app modifies the iPhone’s communication with the payment terminal, making it believe the iPhone has been unlocked and authorized for payments.
So yes, it’s certainly possible to pay with an iPhone that’s still locked. How likely of a scenario this is to actually occur is another question entirely. Maybe if you’re a very wealthy person, and someone manages to swipe your device? But you can quickly cancel your cards. The barriers here seem to make it not worth the effort. It’s a neat trick at least?