A locked iPhone made a $10,000 payment without Face ID or passcode, shocking its famous owner.NurPhoto via Getty ImagesWhat if I told you it’s possible to extract a staggering $10,000 Apple Pay transaction from a locked iPhone without requiring Face ID or passcode authorization? That’s what one maker of science and education videos told the highly popular YouTuber Marques Brownlee, also known as MKBHD, and then proceeded to demonstrate how, much to MKBHD’s visible shock. Here’s how it was done and how you can prevent any chance, however remote, of it happening to you.ForbesMeta Discloses 2 WhatsApp Vulnerabilities In New Security AdvisoryBy Davey WinderThe $10,000 Locked iPhone Apple Pay Transaction ExplainedThere are many ways that a cybercriminal can extract money from you by employing smartphone hacks of one kind or another, and, yes, that includes your iPhone. One example would be the recently reported SMS pumping attacks. Most involve some kind of phishing to trick you into clicking on something you shouldn’t to execute the attack, but what if you effectively activate the means to this end so no clicks are required? What if your Face ID or iPhone passcode would not protect you? What if the attack could be exploited without you even unlocking your smartphone? That’s exactly what a content creator called Veritasium set out to demonstrate in a posting to X with the claim that “We Took $10,000 From MKBHD’s Locked iPhone.” The thing is, the linked YouTube showed Veritasium doing just that while MKBHD watched on in shock. By placing the locked iPhone in question on a payment terminal, Veritasium was able to make a $5 transaction using Apple Pay without any further authorization. But then he asked Brownlee, “Can we try $10,000?” And, with no Face ID, no iPhone passcode requested, let alone entered, the transaction went through, just like that.So, what’s going on here? Is it an iOS security vulnerability being exploited, or a clever hacker using a sophisticated hardware device? Well, it’s a big fat no to the first, and a little bit of yes to the second. However, at its core, the issue is that this isn’t a bug; it’s a feature. Yes, that old chestnut, but true nonetheless. MORE FOR YOUForbesUpdate Safari Browser Before May 24—1Password Users WarnedBy Davey WinderExpress Transit Mode Behind iPhone Payment IssueIf you use Apple Pay for commuting, you may well have Express Transit mode activated, allowing you to pass through ticket payment terminals without unlocking your iPhone. All that Veritasium demonstrated was that by employing custom NFC hardware to effectively spoof the kind of low-value transit terminal that would be used entirely legitimately in this way, it is perfectly possible to exploit ridiculously high payment limits on some credit cards. This, and the fact that there appears to be no limit on the amount of an Express Transit charge. I mean, $10,000 is some subway ride.Now, let’s be clear, this isn’t exactly an easy attack to pull off, as it does require a number of things to all fall into line:The iPhone needs to have Express Transit mode activated.The card linked to Apple Pay must have a high individual payment limit.The iPhone must be in extremely close physical proximity to the malicious low-value transit payment terminal.But that doesn’t mean it is impossible, of course. While I wouldn’t be too worried about being stung by such an attack method, I would advise taking the simplest route to mitigate it: Open your Wallet on the iPhone, tap the payment card, then Express Transit, then turn it off. Alternatively, head for your iPhone settings and ensure that “require Face ID for all transactions” is enabled under Wallet & Apple Pay.