Yes, Wallets Can Be Hacked Too

Wallets solved the card problem. But they created new ones.

We opened our last issue by saying that wallets like Apple Pay and GPay are a major improvement over traditional cards, and they are. But that doesn’t make them bulletproof.

Some of the same features that make wallets so convenient also open up serious attack paths. If your phone is stolen or misconfigured, it can become a direct gateway to your money. No card skimmer required.

Let’s break down what attackers are doing right now.

Express Transit Mode: Tap, Pay... and Bypass Security

Apple Pay’s Express Transit mode was designed for speed. You tap your phone, the turnstile opens, and you’re through—no Face ID, no fingerprint, no confirmation.

That’s exactly the problem.

In Express Transit mode:

• Charges are approved automatically

• No biometric check is required

• No alert is triggered at the time of the transaction

If a thief gets access to your locked phone, they can emulate a transit terminal and charge it instantly and silently.

Based on: Payment Village NFC vulnerability research

Real-World Wallet Attacks

Today’s attackers don’t care about your physical card. They:

• Grab unlocked phones and drain funds within minutes

• Trick users into approving payments by mimicking legit behavior

• Exploit people who leave Express Transit on or use weak PINs

Recent reports include:

• A phone-grabber could drain your bank account in minutes (NewMoneyReview, 2023)

• Unseen Money: Keeping a phone thief out of your bank account (2025)

• Even well-meaning users increase risk when they store wallet, ID, and PIN together—often on the same, easily accessible device.

See also: Keep your phone, ID and card separate

Wallet Hygiene: What You Should Do Now

If you use a mobile wallet (and you should), here’s how to use it responsibly:

• Turn off Express Transit unless absolutely needed

• Enable stolen device protection (iPhone) or secure lock screen (Android)

• Use a strong device PIN. No 0000 or 1234

• Require biometrics to access your wallet

• Don’t keep wallet credentials or backup PINs in plaintext notes

These aren’t suggestions. They’re your first layer of defense.

What We’re Seeing in the Lab

Our original research showed how Express Transit logic could be exploited using NFC emulation and low-level terminal mimicry.

That same logic is now being exploited in the wild.

If your company builds mobile payment solutions or handles wallet-based transactions, these are not just consumer mistakes, they’re surface area for real fraud.

Support the Research

Payment Village is a nonprofit founded by hackers and researchers.
We run workshops, CTFs, and security labs at DEFCON and beyond, all independently funded.

→ Sponsor our work or forward this to someone who should read it.