Stay updated with the latest in technology, global innovations, and key economic trends. From AI breakthroughs to global energy market insights, we bring you the news that matters.
Researchers Stole $10,000 from MKBHD via Apple Pay.
Get link
Facebook
X
Pinterest
Email
Other Apps
-
$10,000 Apple Pay Heist: Researchers Exploit "Express Mode" Vulnerability to Rob MKBHD
In a chilling demonstration featured on the popular documentary channel Veritasium, researchers from the University of Surrey and the University of Birmingham successfully siphoned $10,000 from tech YouTuber MKBHD (Marques Brownlee). The most alarming part? The transaction was authorized while the iPhone remained locked, without any biometric confirmation or user interaction.
The Vulnerability: A Man-In-The-Middle (MITM) Flaw
The attack exploits Apple Pay"Express Mode" a feature designed for convenience in public transit, allowing small payments without unlocking the phone. The researchers identified a critical lack of verification in the communication between the iPhone and the card reader:
Flag Manipulation: Apple Pay does not independently verify the transaction amount. Instead, it relies on a "flag" from the reader. Researchers intercepted this communication, tricking the iPhone into believing a $10,000 request was a low-value transit payment.
The Visa Loophole: Unlike Mastercard, which requires a digital signature for every transaction, Visa’s protocol allows online card readers to skip signature verification if the system is connected to the internet. This "trust-based" approach allowed the researchers to modify the message data mid-transit without being detected by the security protocols.
Corporate Response: "Low Risk" vs. Consumer Safety
Although the researchers alerted both Apple and Visa as early as 2021, a permanent fix has yet to be implemented.
Apple deferred to Visa’s "Zero Liability" policy, which protects customers from unauthorized charges.
Visa’s Senior VP, Michael Jabbara, downplayed the threat, stating that such sophisticated attacks are difficult to scale globally and that fraud protection measures are already in place to refund affected users.
The Industry Dilemma: Compatibility over Security
This incident highlights a systemic issue in the banking industry. Financial institutions often prioritize backward compatibility with millions of legacy card readers over airtight security. For example, the phase-out of magnetic stripe technology has taken decades and is not expected to be complete until 2033. Currently, the industry tends to rely on liability policies (deciding who pays for the loss) rather than enforcing newer, more secure technologies that close vulnerabilities permanently.
The Express Mode feature is designed for a "frictionless experience," a core principle of Apple products. However, in terms of security, "friction is your friend." This incident highlights how user-friendly technology can be, and how deep its vulnerabilities may lie.
While Visa has policies to protect cardholders, the dispute process often is time-consuming and complicated for users. In MKBHD's case, $10,000 might not have a significant impact, but for the average user, the temporary loss of that amount could have a life-threatening consequence.
Even though Visa claims the attack is difficult to implement on a large scale, remember that attackers can use AI-driven automation to scan and intercept signals more quickly. If attackers place small devices at crowded public payment points, the damage could be immense before it's detected.
If you're concerned about this vulnerability, the simplest way to protect yourself is to disable Express Mode for credit/debit cards in Apple Wallet and only use it for transit cards with limited spending limits, or set up minimum spending alerts to notify you immediately when money is being withdrawn from your account.
Ask me anything about this article. No data is stored for your question.
$10,000 Apple Pay Heist: Researchers Exploit "Express Mode" Vulnerability to Rob MKBHD
In a chilling demonstration featured on the popular documentary channel Veritasium, researchers from the University of Surrey and the University of Birmingham successfully siphoned $10,000 from tech YouTuber MKBHD (Marques Brownlee). The most alarming part? The transaction was authorized while the iPhone remained locked, without any biometric confirmation or user interaction.
The Vulnerability: A Man-In-The-Middle (MITM) Flaw
The attack exploits Apple Pay"Express Mode" a feature designed for convenience in public transit, allowing small payments without unlocking the phone. The researchers identified a critical lack of verification in the communication between the iPhone and the card reader:
Flag Manipulation: Apple Pay does not independently verify the transaction amount. Instead, it relies on a "flag" from the reader. Researchers intercepted this communication, tricking the iPhone into believing a $10,000 request was a low-value transit payment.
The Visa Loophole: Unlike Mastercard, which requires a digital signature for every transaction, Visa’s protocol allows online card readers to skip signature verification if the system is connected to the internet. This "trust-based" approach allowed the researchers to modify the message data mid-transit without being detected by the security protocols.
Corporate Response: "Low Risk" vs. Consumer Safety
Although the researchers alerted both Apple and Visa as early as 2021, a permanent fix has yet to be implemented.
Apple deferred to Visa’s "Zero Liability" policy, which protects customers from unauthorized charges.
Visa’s Senior VP, Michael Jabbara, downplayed the threat, stating that such sophisticated attacks are difficult to scale globally and that fraud protection measures are already in place to refund affected users.
The Industry Dilemma: Compatibility over Security
This incident highlights a systemic issue in the banking industry. Financial institutions often prioritize backward compatibility with millions of legacy card readers over airtight security. For example, the phase-out of magnetic stripe technology has taken decades and is not expected to be complete until 2033. Currently, the industry tends to rely on liability policies (deciding who pays for the loss) rather than enforcing newer, more secure technologies that close vulnerabilities permanently.
The Express Mode feature is designed for a "frictionless experience," a core principle of Apple products. However, in terms of security, "friction is your friend." This incident highlights how user-friendly technology can be, and how deep its vulnerabilities may lie.
While Visa has policies to protect cardholders, the dispute process often is time-consuming and complicated for users. In MKBHD's case, $10,000 might not have a significant impact, but for the average user, the temporary loss of that amount could have a life-threatening consequence.
Even though Visa claims the attack is difficult to implement on a large scale, remember that attackers can use AI-driven automation to scan and intercept signals more quickly. If attackers place small devices at crowded public payment points, the damage could be immense before it's detected.
If you're concerned about this vulnerability, the simplest way to protect yourself is to disable Express Mode for credit/debit cards in Apple Wallet and only use it for transit cards with limited spending limits, or set up minimum spending alerts to notify you immediately when money is being withdrawn from your account.
TSMC Smashes Q1 2026 Forecasts: Revenue Surges 35% Amid Insatiable AI Demand TSMC (Taiwan Semiconductor Manufacturing Company) , the world’s leading advanced chipmaker, has reported a stellar revenue performance for the first quarter of 2026. Driven by the unrelenting global hunger for AI hardware, the company’s quarterly revenue climbed 35% year-on-year , reaching a staggering $35.6 billion . March Madness: A Record-Breaking Month The growth was particularly explosive in March 2026 , where revenue soared to $13.08 billion a massive 45.2% increase compared to the same period last year. While TSMC provides monthly revenue updates as a standard practice, the full audited financial results, including net profit and detailed operational metrics, are scheduled for official release on April 16, 2026 . Analyst Take: Pricing Power and the AI Supercycle Market analysts note that TSMC’s performance significantly outpaced initial market estimates. This over-performance is attribu...
Amazon Unleashes $200B Investment Surge: Andy Jassy Bets Big on AI Infrastructure and Custom Silicon In his annual letter to shareholders, Amazon CEO Andy Jassy outlined a bold, high-stakes roadmap for the company’s future. Despite a sharp decline in free cash flow, Jassy defended the company’s aggressive spending, revealing a massive $200 billion investment plan for the year, with a primary focus on scaling AI infrastructure. The AI Revenue Engine The justification for this heavy capital expenditure lies in the explosive growth of Amazon's AI services. Jassy noted that this segment alone has already achieved an annualized revenue run rate of $15 billion . To sustain this momentum, Amazon is prioritizing the development of data centers and specialized hardware. The Hidden Semiconductor Giant One of the most striking revelations in the letter was the scale of AWS’s custom chip business . Jassy highlighted that if AWS’s chip division (responsible for Graviton, Trainium, and Nitro ...
The Rise of "iPhone Ultra": Everything We Know About Apple’s First Foldable Flagship Despite earlier rumors of production delays, fresh leaks suggest that Apple is moving full steam ahead with its first-ever foldable device. Slated for a potential September 2026 debut alongside the iPhone 18 Pro series, this new flagship is shaping up to be the most expensive and ambitious iPhone in history. Key Leaks & Rumors (April 2026): The "Ultra" Branding: According to a credible source on Weibo, Digital Chat Station , Apple is likely to move away from the "iPhone Fold" moniker. Instead, the device will be branded as the "iPhone Ultra," aligning it with Apple’s top-tier product lines like the Apple Watch Ultra and the M-series Ultra chips. The $2,000 Threshold: Mark Gurman from Bloomberg has addressed the production rumors, stating that development is progressing. However, he warns that "Ultra" comes with an ultra-price tag. The device ...
Meetings on the Move: Google Meet Officially Arrives on Apple CarPlay Google Meet has announced its expansion to Apple CarPlay , allowing professionals to stay connected and join meetings seamlessly while on the road. This integration is designed to provide a hands-free experience, ensuring that productivity does not come at the expense of road safety. Safe, Audio-Only Connectivity To prioritize driver safety, the CarPlay version of Google Meet focuses exclusively on audio-centric communication . Video calls are disabled to ensure the driver remains focused on the road. The interface is streamlined for quick access, allowing users to join scheduled calls with minimal interaction. Key Features for Drivers Meeting Schedule Display: The app provides a clear view of upcoming meetings, helping users keep track of their daily agenda without needing to check their phones. Instant Integration: If the Google Meet app is already installed on an iPhone, the icon will automatically appear on t...
Internal Memo Leak: OpenAI Revenue Chief Addresses "Unprecedented Competition" and Strategic Shifts A leaked internal memo from Kevin Weil , OpenAI Chief Product Officer (and former Head of Revenue), has provided a rare glimpse into the company’s internal perspective on the AI arms race. Weil describes the current market as the "most intense competitive environment" the company has ever faced, while simultaneously framing it as a generational opportunity. Critique of Anthropic: Product vs. Platform In the memo, Weil explicitly addresses Anthropic , OpenAI’s primary rival. While acknowledging their momentum, he points out two perceived vulnerabilities: Compute Constraints: Weil suggests that Anthropic is grappling with significant processing power limitations. Narrow Focus: He argues that Anthropic’s heavy reliance on "coding" as its flagship product is a strategic disadvantage compared to OpenAI’s ambition to build a comprehensive, multi-modal platform ...
Gemini Gets "Notebooks": Google Integrates Personalized Knowledge Hubs Directly into its AI Ecosystem Following last year’s integration with NotebookLM , Google is taking its productivity suite a step further. Users can now create and manage dedicated Notebooks directly within the Gemini interface, transforming the AI from a simple chatbot into a sophisticated knowledge management tool. A Unified Knowledge Space Google describes these "Notebooks" as a centralized space for organizing user-specific information. Much like a digital project folder, these notebooks can pull data across Google’s entire product ecosystem. Key features include: Seamless Content Integration: Users can save Gemini chat history, uploaded files, and generated tables into a specific Notebook with the new "Add to Notebook" button. Smart Retrieval: Once a Notebook is open via the Gemini sidebar, users can query the AI to find specific answers, summarize notes, or draw insights excl...
Roblox Overhauls Safety Standards: New Age-Based Account Tiers and Developer Mandates To bolster its commitment to child safety, Roblox has announced a major restructuring of its platform. Starting June 2026 , the global gaming platform will categorize user accounts into three distinct tiers based on age, ensuring that content and social interactions are strictly aligned with developmental stages. The New Roblox Account Tiers: Roblox Kids (Ages 5–8): This tier restricts access to experiences with "Mild" violence or suggestive themes. Communication is locked down, with chat features disabled by default. Parents must manually enable chat via updated Parental Controls . Roblox Select (Ages 9–15): Users in this bracket can access "Moderate" content. Chat functionality is available but remains subject to regional regulations and safety filters. Roblox (Ages 16+): Standard accounts with access to all content, though specific experiences may still be restricted to user...
Comments
Post a Comment