Apple Pay Express Transit Mode Hack: $10K NFC Exploit

Name: Can you steal $10,000 from a locked iPhone?
Uploaded: 2026-04-15T16:40:38+00:00
Duration: 26 min 14 s
Channel: Veritasium
Description: Summary and key takeaways on Can you steal $10,000 from a locked iPhone?: Summary & Key Takeaways, covering The Live Demonstration During a podcast recording

Veritasium

Apr 15, 2026

•

26 min video

•

2 min read

YouTube video ID: PPJ6NJkmDAo

Source: YouTube video by Veritasium — Watch original video

PDF

During a podcast recording, host Henry watches Marques Brownlee trigger a $10,000 unauthorized purchase with a locked iPhone. The phone sits on a Proxmark NFC device that mimics a payment terminal, allowing the transaction to complete without any password, PIN, or biometric verification. The same exploit was first disclosed in 2021, yet Apple has not issued a patch.

How the Attack Works

The attacker creates a man‑in‑the‑middle chain: a Proxmark intercepts the iPhone’s NFC signal, a laptop rewrites the data, and a burner phone forwards the altered request to a retail reader. The phone believes it is communicating with a legitimate transit terminal, while the reader thinks it is talking to the phone.

The Three Lies

Express Transit Mode Trigger – The Proxmark broadcasts a specific transit terminal identifier, forcing the iPhone into Express Transit Mode and bypassing the unlock requirement.
High‑Value Bit Flip – The laptop changes a single data bit that labels the transaction as “low value,” preventing the phone from demanding a PIN or biometric check even for large amounts.
False Verification Claim – The system modifies the reader’s response to claim that customer verification was performed on the device, satisfying the terminal’s security checks.

Cryptographic Differences Between Networks

MasterCard employs asymmetric RSA signatures for each transaction, which would detect the data tampering introduced by the laptop. Visa, however, does not consistently require such signatures for online transactions, allowing the altered data to pass unchecked. The attack therefore succeeds only with Visa‑issued cards.

Industry Reaction

Apple attributes the vulnerability to Visa’s payment infrastructure, while Visa maintains that the attack is unlikely to occur in everyday use and points to zero‑liability policies that refund affected customers. Experts from the University of Surrey, including Ioana Boureanu and Tom Chothia, argue that relying on statistical fraud mitigation is insufficient; the system should be technically hardened regardless of how rare the exploit appears.

Implications for Mobile Security

The demonstration shows that a locked iPhone can be charged via a payment terminal without any user interaction, exposing a fundamental weakness in Apple Pay’s Express Transit Mode. Although fraud losses average only a few cents per $100 of transaction volume, the ability to siphon thousands of dollars in a single swipe highlights the tension between statistical risk models and the demand for absolute technical security.

Takeaways

A locked iPhone can be charged via a payment terminal without any user authentication, enabling a $10,000 unauthorized transaction.
The attack relies on a Proxmark device that tricks the phone into Express Transit Mode and flips a high‑value flag to appear as a low‑value purchase, bypassing PIN or biometric checks.
Visa’s lack of mandatory asymmetric cryptographic signatures for online transactions allows the data tampering that powers the exploit, unlike MasterCard’s RSA‑based verification.
Apple blames the vulnerability on Visa’s system, while Visa argues the scenario is unlikely and relies on zero‑liability refunds to protect customers.
Experts argue that statistical rarity does not excuse the need for technical hardening, because fraud cannot be fully eradicated.

Frequently Asked Questions

How does the Proxmark device enable the Express Transit Mode bypass?

The Proxmark broadcasts a transit terminal identifier that forces the iPhone into Express Transit Mode, which authorizes payments without requiring a PIN or biometric check. By appearing as a legitimate transit reader, it convinces the phone to complete the transaction automatically.

Why does Visa consider the attack unlikely in real‑world settings?

Visa argues that the specific combination of hardware and protocol manipulation required for the exploit is rare and that customers are protected by zero‑liability policies. It maintains that most users will not encounter the precise NFC setup needed to perform the man‑in‑the‑middle attack.

Who is Veritasium on YouTube?

Veritasium is a YouTube channel that publishes videos on a range of topics. Browse more summaries from this channel below.

Does this page include the full transcript of the video?

Yes, the full transcript for this video is available on this page. Click 'Show transcript' in the sidebar to read it.

How the Attack Works

Helpful resources related to this video

If you want to practice or explore the concepts discussed in the video, these commonly used tools may help.

Rfid Blocking Wallet For Credit Cards Recommended

Provides a physical barrier against unauthorized NFC scanning and signal interception, helping to protect payment cards from remote skimming attempts.

Amazon →

Rfid Blocking Phone Case Sleeve

Creates a Faraday cage effect around the smartphone, preventing NFC signals from being intercepted or broadcast when the device is not in use.

Amazon →

Proxmark3 Rdv4 Nfc Research Tool

The specific hardware device used in the demonstration to intercept and manipulate NFC signals for security testing and research purposes.

Amazon →

Links may be affiliate links. We only include resources that are genuinely relevant to the topic.

Summarize another video

Full Transcript YouTube

- I'm here with MKBHD,
and we're gonna try to steal
$10,000 from his locked iPhone.
- Really hope it doesn't work.
Really hope it doesn't work.
- I'm gonna get you to put that phone down
on top of this device.
- [Marques] Okay.
- Just put it down there.
- Just put it on like a, all right.
- I feel like I'm a bit of a magician,
but I'm like-
- Yeah.
- I haven't changed anything, right?
- Okay. Yeah.
- It's still locked.
- It's locked.
- Nothing else.
- Yeah.
- This is just a regular payment terminal.
- Yeah.
- Nothing weird about that.
- Seen these.
- And we'll start with a
little, like, maybe 100.
No, maybe $5?
Let's start with something like-
- Yeah, five. Five.
- Start with five.
- That sounds great.
- Yeah. Five bucks.
Do you think that we can take,
like, will we be able to
get this out of your phone?
- I hope not, but I
kinda feel like you will.
Let's see.
- So, now I'm gonna
charge $5 on this device.
Your phone's still locked, right?
- Yep.
- I haven't done anything.
- It's like a David Blaine.
- [Henry] It's like the
nerdiest David Blaine.
- Yeah. (chuckles)
- Sweet, so.
Just try to tap. We'll go.
(phone chimes)
- What just happened on my phone?
Approved? Whoa, whoa, approved.
(coins clinking)
So, okay.
I heard something happen on my phone
while you tapped this on this.
- Yes.
We got a little receipt for you.
- Credit verified on device, $5.
So, I'm gonna check my phone.
Ah, oh, I have a new $5 charge.
And it's time stamped right now.
I don't like that at all.
So, that's concerning.
Oh, so my phone had to be on this thing?
- [Henry] Yes.
- Did it have to be on this thing?
Or like, near it, I guess?
- So the way, well, I
could explain how it works-
- Yeah.
- But maybe before that,
$5, it's not very much.
- Yeah.
- Do we want to try upping it a bit?
- I...
- I'm gonna enter a
slightly larger amount.
- Careful. Careful with that.
Careful, careful.
That's a lot of zeros. Careful with that.
Oh my God. Okay.
- Do you even think it's
possible? Firstly, $10,000.
- I mean, the credit, the limit
on the card is above that.
I don't know if Apple
Pay will let you do that.
- The question is also
are you used to spending
this amount of money
on this card, you know?
- Not from my phone.
It's like a big screen activity.
- Yeah.
- Like, $10,000 purchase,
I gotta be checking everything.
So, yeah, no. This would be unusual.
- Let's see it. Let's see if it works.
Okay, I'm gonna do it again.
- Okay.
- We're just,
all we gotta do again.
Put your phone locked.
Phone-
- On this device.
- Locked on that device.
- [Henry] Yes, exactly.
And okay, we're gonna
start the script again.
Okay.
(suspenseful music)
(phone chimes)
- [Marques] Uh-uh.
(coins clinking)
Uh-uh. No.
- No? (laughs)
- It's just green. Approved.
- Print that out. Print that.
(receipt sprinting)
That is crazy.
- Oh my God. So, so, yeah,
I'm gonna need that back.
- Yeah. (laughs)
- For sure,
I'm gonna need that back.
But also, did that just?
Yeah, wow. It worked.
- $10,000.
- All right. I believe you.
I definitely believe you.
How do we get this back?
We do like a little Venmo or like PayPal?
How do we even?
- You know,
do we give it back though?
- Reverse the transaction.
I don't even know. Do I call my company?
Yeah, that's crazy.
- Yeah, exactly.
You can keep this if you wanna-
- Yeah.
- Get it framed.
- Yeah. A receipt of the damage.
I never unlock my phone.
I never put in a password.
I never did what I would normally do
to verify a transaction on my phone.
- Yes.
- It just happened
to be on top of that.
- So, how did we do it?
Well, we teamed up with
two cybersecurity experts,
Professors Ioana Boureanu and Tom Chothia.
And we went to visit them
at the University of Surrey,
where they ran us through a
unique hack that they developed
to bypass the phone's lock
screen and then to drain funds
from inside its mobile wallet.
- Without unlocking my phone
is the real magic part.
That's crazy.
- And the craziest thing
of all is that this hack
was made public back in 2021.
So, people have known that it's possible
to take money from locked phones
in this way for five years.
So, what kind of amounts does this?
- The only limit is how much someone has
in their bank account.
(suspenseful music)
- Yet the loophole
still hasn't been fixed.
So, how does it work?
Well, whenever you use Tap to
Pay, your phone and the reader
exchange information
about the transaction.
But they send this
information through the air
by a shared magnetic field,
so we can intercept the
communication and alter it.
All we need to do is to
insert our own devices
in between the phone and the reader.
First, we tap Marques's
phone against this.
It's an NFC device called the Proxmark.
To Marques's phone,
the proxmark looks like
a typical card reader.
So, it happily sends over
its transaction data.
That proxmark then sends that
data straight to our laptop,
where we run a Python
script to modify it.
Next, the laptop sends the
data to our burner phone,
which I tap on the actual card reader.
To the reader, my phone
looks just like Marques's.
So, both Marques's phone
and the card reader
think they're talking
directly to each other,
when in fact all their communication
goes through our series of devices.
This is a classic
man-in-the-middle attack.
Now, getting in the middle
to intercept the data
is actually the easy part.
The hard part is what you
need to do to that data
to trick the phone and the reader
into authorizing the transaction.
See, to actually steal
money using this attack,
you have to get past three layers
of defense on both systems.
And to do that, we have
to tell three lies.
Two to the phone, and one to the reader.
So, the first layer of
defense is the simplest.
The phone is locked.
And in an ordinary transaction,
you have to unlock your phone to pay.
But this is no ordinary transaction.
So, you know, if you
ever go to the subway,
there's a feature that Apple's
created where you know,
when you walk through,
they don't want a bunch
of people lining up
and having to unlock their face.
And you know, maybe they're wearing a coat
and glasses and stuff.
- Oh. Express Transit Mode.
- Apple introduced express
transit mode in 2019
to let you make transit transactions
without having to unlock your phone.
The way this works is
that the payment terminals
on the subway or on the
bus broadcast a message
that identifies them
as a transit terminal.
Then, when you tap your phone to pay,
it looks for whatever card
is in the transit slot
of its mobile wallet and it
pays without needing to unlock.
This is super convenient,
but we can also abuse it.
- We found out how this worked
by going to the London Underground
with our laptops and our equipment,
and actually scanning the signals
and seeing what the gate
was saying to the phone.
And that's how we discovered
this code the gate send
which unlocked the phone.
- We used the proxmark to
broadcast that same code,
which fools Marques's phone into thinking
that it's a transit reader.
So, when we tap Marques's
phone against the proxmark,
it's now expecting to
receive another message
with the details about
the transit transaction.
Here's what that message
would typically look like
in binary code.
Each of these bits carries
important information
about the transaction.
Now, the important part of this
message for us is this bit.
An authentic transit transaction
would have a 1 right here.
This tells the phone that
the reader may be offline.
Like if it's underground on the subway.
In which case the phone would need to send
an extra layer of authentication.
So, when Marques's phone
receives the transaction request
from what it thinks is a transit reader,
it's gonna be expecting
that value to be set to 1.
But in reality, the
device sending the request
is our retail reader, and
this reader is online,
which means that that bit
is currently set to zero.
Therefore, to trick the phone
into accepting the transaction,
we intercept the message from the reader,
pass it through our computer,
and we change that 0 to a 1.
So by the time the message
gets to Marques's phone,
it looks like a transit transaction.
As this communicates through our computer,
we're convincing the phone
that it is in fact talking
to a transit terminal.
But now there's a second line
of defense we need to break.
With this first lie,
we bypassed the need to unlock the phone.
And we can now trick it
into making small
payments of a few dollars.
Kind you'd expect on the subway.
But if we suddenly went and
asked the phone for $10,000,
well, its guard would go way back up.
After all, it's pretty
unusual for a transit reader
to ask for such a large amount of money.
So, this activates a
second layer of defense.
Customer verification.
On contactless payments like this,
there are two categories of transaction.
We got high value and low value.
Any transaction that's
classified as high value
requires additional
verification from the customer.
For example, in the UK,
most banks require a pin
or a fingerprint or facial recognition
for any transaction over 100 pounds.
So, for us to get this
$10,000 payment through
without customer verification,
we need to trick the phone into thinking
that $10,000 is in fact
a low value transaction.
And that's actually surprisingly simple.
That's because to determine
whether the transaction is high value,
Marques's phone doesn't actually look
at the numerical value of $10,000.
It just looks at another
single bit of information
in the transaction data.
A 1 here means high
value and 0 means low.
The reason for this is that the boundary
between high and low value
varies from country to country.
And of course,
different countries operate
in different currencies.
So, a simple label allows the flexibility
to deal with these variations.
And it allows the limits to be changed
without the banks needing
to issue new cards.
So, all we need to do
is intercept the message from the reader,
flip that bit to a zero,
and then the phone will believe
that this transaction is low value
even though it's for $10,000.
Then, when the phone receives our request
for a $10,000 transaction,
it doesn't ask for customer verification.
It just goes ahead and
authorizes the transaction.
Now, you might be asking,
why is this data so easy to tamper with?
And we'll get to that in just a minute.
But we have one final
security check to overcome.
See, with these first two lies,
we bypassed unlocking the phone
and then tricked it into
making a high value transaction
without asking for verification.
So, the phone is fully convinced
and it's ready to make the payment.
But we still need to convince the reader
that the transaction's valid.
And this is where our third lie comes in.
When Marques's phone replies,
it says it's approved
the $10,000 transaction.
But it also says that it hasn't asked
for customer verification.
No pin, no fingerprint,
no facial recognition.
But if the reader sees this,
it'll reject the transaction
because it knows that the $10,000 payment
it originally asked for is high value.
It should therefore require
customer verification.
So, now we need to trick the reader
into thinking that the customer
has verified the payment.
So, we intercept the
response from Marques's phone
and look for the bit of information
that says customer
verification hasn't been done.
Then we change it to say that
the payment has been verified
by flipping this 0 to a 1.
Now, the reader's happy.
It forwards the information onto the bank,
and the bank authorizes the payment.
After all, it sees a
transaction that's been verified
by the customer on their device.
(upbeat lively music)
(notification beeps)
Green approved.
(coins clinking)
- That is crazy.
- Verified on device?
- Yeah, verified.
- You didn't, you didn't verify it.
- Right.
- So, why isn't all this
information encrypted?
That would make it impossible
to secretly tamper with.
Well, the way the phone
and reader communicate
has to be compatible with
thousands of different devices,
which would be impossible
to update all in one go.
So for that reason, the
information we've looked at so far
is just sent across unencrypted.
Even still, phones, readers and banks
all have checks in place to make sure
an attack like this can't happen.
And normally, it can't.
Except if you happen to use
a specific type of phone
and a specific type of card.
Because when you combine them
in this particular scenario,
they create a loophole.
So, our hack relied on a specific phone
and credit card combination.
And we also use a sophisticated method
developed by cybersecurity experts.
But hackers or scammers online,
well, they don't need to be that smart.
Often they can just buy
information to target you.
When I started working at Veritasium,
I was on a work trip to go
meet Derek for the first time.
And I got an email from
somebody was saying he was Derek
asking for my phone number.
That made a ton of sense.
I was leaving the airport.
So, I just responded by
sending my phone number.
I immediately was like,
"Wait, let me look at that."
I checked the email. Not Derek.
Of course, for the next few months
I was just getting scam
call after scam call.
That's one way they can get
you. I felt like an idiot.
But it's not just scam calls like that.
I've also had that feeling
after news of a major data breach.
I've wondered whether
me using some website
has led to my personal information
being exposed somewhere
without me even knowing about it.
But you can protect your personal info
with today's sponsor, Incogni.
See, whenever scammers purchase
your email, phone number,
and even your home
address from data brokers,
Incogni automates the
grueling process of requesting
that these data brokers
delete your information.
Okay, so I've had this since June 2025.
And since then, we've had 94
different removal requests.
And I really like how you
can track the progress
in this dashboard here.
They've estimated that that saved me
70 hours and 30 minutes of my own time
if I were to reach out
to these people myself.
And with Incogni's new
custom removal feature
in their unlimited plans,
you can point to any specific site
where your information is visible.
And then, one of their privacy agents
will take care of the rest.
So, to take your data
off the market today,
go to incogni.com/veritasium
and then use code Veritasium for 60% off.
You can click the link below
or you can scan this QR
code to claim that 60% off
and get your personal data off the market.
I wanna thank Incogni
for sponsoring this video
about taking money from Marques Brownlee.
And now, let's get back
to that thing.
So, which combination of card and phone
make this hack possible?
Firstly, the phone has to be an iPhone.
As we saw earlier, when
an iPhone is deciding
whether to ask for customer verification,
it doesn't look at the numerical
value of the transaction.
It only looks at the high
value or low value label
provided by the reader.
But other phones don't work that way.
For example, when a Samsung
phone goes into transit mode,
it doesn't rely on this low
value label from the reader.
It looks at the actual numerical
value of the transaction
and it only accepts a payment of $0.
Then it relies on the transport provider
to count up all the times
you've used the subway,
and then to send you a
bill at the end of the day.
So, if a Samsung phone
saw a transit terminal
trying to charge you
$10,000 for a single tap,
it would immediately reject it.
But it's not just Apple's transit mode
that makes this hack possible.
You've gotta have one
specific type of card
in the transit slot.
- It was truly a design
feature that was introduced
by the way you mixed Apple and Visa.
- And the reason that this
works with a Visa card,
but wouldn't, with say, a MasterCard
comes down to the different
processes they use
to verify transactions.
So, what is it about
Visa's verification process
that makes this hack possible?
In a previous video, we saw
that any card transaction
relies on a secret cryptographic key
shared by the card and the bank.
When you tap the card
or phone onto a reader,
the reader sends across
a long string of transaction details.
The card then applies its secret
key to garble that message
into a unique code for the transaction.
The card sends this to the reader,
which the reader forwards onto the bank,
along with the raw transaction details.
The bank then applies its own secret key
to the raw data as well.
And if the output matches
the one from the card,
the bank authorizes the transaction.
This is called symmetric cryptography
since the card and the bank
use the same secret key.
And this step is required
in all transactions.
No matter whether you
have a Visa, a MasterCard,
or something else.
But there's actually
another layer of security
which MasterCard uses in
all of its transactions.
But in this particular case, Visa doesn't.
This layer of security is not
between the card and the bank,
but between the card and the reader.
And it's at this step where
MasterCard thwarts our attack.
The second step relies on
asymmetric cryptography.
So-called because it
uses two different keys.
A private key for the card and
a public key for the reader.
It starts with the reader sending across
the transaction details to
the card just like before.
The card then uses its private
key to garble that message
into another long string of digits.
This is the card's digital
signature for the transaction.
The card sends this
signature back to the reader
along with the public key,
which the reader then uses
to verify that the signature
came from that specific card
for this specific transaction.
To illustrate how this works,
let's consider a simple example.
The private key and public
key both have two components.
N is a shared number.
In this case, let's say 55.
D is the card's private
number. Let's say 7.
And E is the public number. Let's say 3.
Now, when the reader sends
across the raw transaction data,
it represents it as one long number.
But for simplicity, we'll
use a much smaller one.
Let's say 2.
To sign for the transaction,
the card or the phone
raises the transaction
number, in this case 2,
to the power of its private
number, so we get 128.
And then divides this by the
shared number, 128 over 55,
which leaves a remainder of 18.
And this is the card signature, 18,
which it sends on to the reader.
Now, the reader needs to know
whether the transaction is valid.
So, it takes the card signature
and raises it to the power
of the public number.
Then, it takes the remainder
when you divide by the shared number 55.
And you get 2.
This matches the original transaction data
the reader sent to the card.
The reason this works is that
the private and public numbers
are specifically chosen
so that when combined
with the shared number,
the public key effectively
reverses the operation
of the private key.
And this allows the reader to verify
that the card signature is valid
without ever having
seen its private number.
This is based on a type of
cryptography called RSA.
In reality, the numbers
involved are much larger.
But that makes it incredibly secure
because that makes it virtually impossible
to reverse engineer
the card's private key.
And it also means that
even a one digit change
in the transaction data will
produce a different result
when the reader checks
the phone's signature,
in which case the reader
won't approve the transaction.
This is a problem because
we've modified the data.
The reader's expecting a signature
for a high value retail transaction.
But we intercepted the communication.
So the phone signature
is actually for low value
transit transaction.
This wouldn't pass the
asymmetric signature check.
But while MasterCard always requires
this asymmetric verification,
which would spot our hack, Visa doesn't.
They only require this
signature in certain situations.
Like, when the reader's offline.
For example, when you're
underground with no signal,
there's no way for the reader
to communicate with the bank
for that first layer of
symmetric cryptography.
At least not until it comes back online.
So, during our attack,
we make sure the reader
is online the whole time.
That way, it doesn't bother using
the asymmetric layer of security,
which contains the signature
that would unravel our lies.
But the funny thing is
we've tricked the phone
into thinking it's interacting
with the transit reader.
And transit transactions
are one of those times
where Visa does require
the asymmetric signature,
since the reader could be
underground on the subway,
and therefore offline.
So, the phone actually does send across
its signature to the reader,
but the reader doesn't check it.
Because in reality, the reader's online.
So, instead it just relies
on that first layer of
security with the bank,
even though if it did
check the phone signature,
it would've all the evidence
it needed to stop the hack.
(screen whooshing)
So yeah, you go.
- Makes sense
that it's that sophisticated
'cause it shouldn't be that easy,
but that still seemed way too easy.
- And Marques was not the only victim.
I thought it was only fair
that I first try it out on myself.
(phone beeping)
- Approved it.
- Woohoohoo!
- Yeah, here. You souvenir
from the UK from Tom and me.
- Oh, what a lovely receipt
for this theft. (chuckles)
And then I got another victim
with a bit of a bigger budget.
Our channel has a CFO basically,
who lives very nearby.
What we're doing is we're setting it
to be your transit card.
- Okay.
- So that means
that if you're in, London 
you have to use the tube-
- Yeah.
- It'll take money
from this card.
Something just happened.
- Yeah.
(everyone laughs)
How you feel about that?
- Oh my goodness me.
Oh my-
- [Henry] There you go.
- We were just gonna meet for a drink.
That's what, you know,
that was the agreement.
- In the real world, say you
had your phone in your pocket.
- Yeah.
- I would walk by you-
- Yeah.
- Doing this.
And Tom would have this
in the shop and pay.
- The easiest way for this
to actually be a crime
would be a stolen iPhone.
- [Henry] Sure.
- And then someone goes and
spends thousands of pounds.
- So you know, you
could buy a car with us.
- Jesus. Yeah, yeah.
Theoretically. Geez.
- Yeah.
- Wow.
- I guess from your perspective,
you've revealed all this
information publicly
and you're telling us.
We're walking through it in great detail.
How do we stop people from using this for-
Or can we stop people?
Like, whose responsibility
is it to stop this?
- Oh, whose responsibility is
it is an interesting question.
- Yeah.
- But you can stop it
by turning transit mode off.
- Or not turn it off,
but not have a Visa card
in transit mode on an Apple.
- Yes.
And you do need to be careful
because as soon as you
have a suitable card
in your Apple wallet,
Express Transit Mode is
turned on by default.
This hack was first made
public way back in 2021
after the professors had informed
Apple and Visa privately.
And to get to the bottom
of why it's still possible,
we reached out to Apple,
and they didn't agree to an interview.
But here's what they said.
"This is a concern with the Visa system,
but Visa does not believe
this kind of fraud
is likely to take place in the real world.
Visa has made it clear
that their cardholders
are protected by Visa's
zero liability policy."
This is exactly the same as their position
when the hack was first
made public back in 2021.
So, it seems like Apple
are basically saying,
"Well, this is a Visa problem."
So, we went and asked
Visa what they thought.
- I think this specific vulnerability
is likely within a controlled setting.
Very unlikely from a
scaled real world setting.
And then, kind of the last point
is from a consumer perspective,
is that in the cases
where this is successful,
they have the ability to
dispute this transaction
and get their refunds returned to them.
- I think that's fair.
You're saying it's not entirely scalable,
and then even if it does happen,
we'll give you your money back.
Like, that's a great,
that's a great stance.
I still think though, a lot of people,
and I think our audience
would really wanna hear
that you're actually making
the technical changes
to stop this from ever happening again.
- 'Cause when you think about
it from a scale perspective
and whether the network level defenses
that we have are effective in making sure
that this type of
vulnerability is isolated,
we believe it is effective.
Because if it wasn't, you
would hear a lot more data
about how this is an
issue, and it simply isn't.
The point that I'm making is
that you're never gonna be able
to completely eradicate
any specific type of fraud
'cause it's going to exist, right?
- Yes.
- What I'm saying
is that we have the right
detections in place to ensure
that this type of fraud is not endemic.
- Would it not be even better
to just say this type of
fraud is not possible.
Why not just say it's not probable?
Why not just totally get rid of it
by implementing an
actual technical change?
- If you think about for every $100
of spend that occurs on card payments.
10 cents of that is lost to fraud.
So, every $100 it's 10 cents.
If you look at in-person transactions,
which is what kind of this topic
is really much more related to.
That number goes down to 2 cents
for every $100 of fraud that's being made.
- So, I've been thinking about this hack
and it reminds me a lot about people
who are afraid of flying.
Statistically, you're a lot more likely
to crash on the drive to the airport
than you are in the air.
So, I do understand
Visa's argument generally.
Compared to other kinds of fraud,
this is just a drop in the ocean.
But airlines don't accept
a small number of crashes each year
as an inevitable cost of doing business.
No. Anytime there's a crash,
they analyze it meticulously.
And then they do everything in their power
to make sure that it's
never gonna happen again.
Visa says that they'll
get you your money back
and that's great.
But you've still gotta notice the charge,
dispute it, and then wait.
Imagine waking up to see
$10,000 gone from your account.
That's money for rent, insurance,
car payment, or a medical bill.
Even if the refund does come,
the stress before is gonna be very real.
So for me, the question
is whether just saying
they're gonna refund it after
the fact is good enough.
Or when a system touches
the lives of so many people,
should we expect better?
One last thing.
We've been nominated for two Webby Awards.
One, for our video about the
dangers of forever chemicals
and that's been nominated
for best long form video.
The other one is about American football
and we did it with Tom Brady,
and that's been nominated
for Best Creator to Creator Collaboration.
The thing is, when I checked last,
we were second place in
voting for both of them.
So if you wanna help us out,
you can go to the Webby website
and vote for us up till April 16th.
So if you do that, thank you very much.
That'll help us out a lot.
And as always, thank you for watching.
Okay, yeah. That's the whole demo.
I will now give you your money back.
- Yes.
- [Henry] Okay, we gotta.