Can money be taken from a locked phone using contactless payment?

Contactless payment and NFC are often described in overly simple ways. Some articles imply the technology is broadly safe because it only works at short range, while others imply that any phone with NFC enabled is an obvious target. Neither approach is particularly helpful.

The more accurate answer is that the risk depends on how contactless payments are implemented, what features are enabled, which wallet or card network is involved, and whether the device is being used for payments, transit, keys, or something else. Recent public demonstrations have shown that under specific conditions, money can be taken from a locked phone without the normal unlock step. That does not mean all phones, all cards, or all contactless payments behave the same way.

This guide explains how NFC and contactless payments normally work, what kind of attack has been demonstrated in practice, why the issue is more specific than many headlines suggest, and which settings are worth reviewing on Android and iPhone. It also explains what practical precautions can and cannot achieve, so the reader can make a sensible decision rather than relying on vague reassurance or alarmist claims.

Use the links below to jump to the section most relevant to your question.

• How NFC and contactless payments normally work
• Why a locked phone can sometimes still be used
• What kind of attack has been demonstrated
• Why this does not mean all contactless payments are broken
• Android and iPhone behaviour are not the same
• What settings are worth reviewing
• What an RFID or NFC blocking card can and cannot do
• Frequently asked questions
• Further Guidance and Support

Near Field Communication, usually shortened to NFC, is a short range wireless technology used for contactless payments, transit cards, digital keys, tags, pairing, and other small exchanges of information. In simple terms, it allows one device or card to communicate with another when they are very close together.

That short range does help reduce exposure, but it is only part of the picture. The security outcome depends on the wider system around NFC, including the wallet application, the phone operating system, the card network, the payment terminal, and any special convenience features that allow faster use without full user interaction.

This matters because people often ask a broad question such as whether NFC is safe or whether it should always be turned off. In practice, the answer is more specific. A phone being able to communicate over NFC is not the same thing as every NFC use carrying the same level of risk.

Some people assume that a locked phone cannot do anything important until it is unlocked. That is not always true. Modern phones may allow limited actions while locked for convenience, speed, or safety reasons.

Apple’s own support material states that Express Mode can allow compatible cards, passes, and keys in Apple Wallet to be used without waking or unlocking the device, and without authenticating with Face ID, Touch ID, or a passcode. Apple also states that some Express Mode items may continue to work when the phone needs charging, and its platform security material describes Express Card transactions under power reserve conditions. Those behaviours are legitimate product features, not accidental side effects.

Features like this are designed to make everyday tasks more convenient. For example, they allow a transit gate or compatible access point to respond quickly without the delay of a full unlock step. However, any time a device is allowed to perform a security relevant action while locked, the design choices behind that behaviour need to be examined carefully.

The most important real world example in the material reviewed is not a generic story about “digital pickpocketing”. It is a specific payment attack chain demonstrated publicly and discussed in academic and university linked material.

Research linked to the University of Birmingham and the University of Surrey described vulnerabilities involving Apple Pay and Visa where attackers could bypass the normal Apple Pay lock screen in certain Express Transit conditions and perform high value contactless payments. Later reporting on related research also described contactless payment loopholes that allowed fraudulent high value transactions under specific circumstances.

The practical demonstration that brought wider public attention to this issue showed a locked iPhone being used for a small payment and then a much larger payment without the normal user verification step. The broad explanation is that the attack places an attacker controlled device between the phone and the genuine terminal, modifies some of the transaction information, and causes the phone and the reader to make incorrect assumptions about what kind of transaction is taking place.

That is why the issue should not be described simply as “NFC can be read at short range”. The more important issue is that under a specific combination of phone behaviour, Express Transit style logic, and Visa handling, the trust assumptions in the payment flow can be abused.

The guide should remain careful here. A specific exploit chain affecting particular conditions is not the same thing as saying that every phone, every wallet, every card, or every contactless payment terminal is broadly broken.

The reviewed material consistently suggests that implementation details matter. The public research and follow up commentary indicate that the locked phone demonstration depends on a specific combination, especially iPhone behaviour around Express Transit and a Visa card in the relevant role. The same material also notes that the issue does not appear to behave the same way with Mastercard and does not map neatly to other phone implementations such as Samsung Pay.

Android and iPhone should not be treated as if they offer the same controls or the same user options. That is one of the main reasons so much consumer advice ends up being incomplete.

On many Android devices, NFC can be switched off directly in settings, and users can often review default wallet behaviour and other NFC services separately. On iPhone, the reviewed support and community material indicates that there is no single general switch to disable all NFC behaviour in the same way. Instead, NFC related behaviour is often managed indirectly through Wallet configuration, Express Mode choices, and certain app or feature settings.

That difference matters because advice such as “just turn NFC off when you are not using it” is practical on many Android phones but incomplete on iPhone. On iPhone, the more relevant question may be which Wallet features, Express Mode settings, or app level NFC behaviours are currently enabled.

The most useful practical advice is not to panic, but to review whether the enabled features match the way the device is actually used.

If a person uses NFC only occasionally, enabling only the required function when needed is a sensible risk reduction approach. On Android, this may mean keeping NFC disabled most of the time and turning it on only for a specific task such as using a YubiKey over NFC or making a deliberate contactless payment. Where the phone allows separate wallet and service choices, it also makes sense to review which NFC related services are active.

On iPhone, where general NFC disablement is more limited, the more important review points are usually within Wallet and Express Mode. Apple states that Express Mode can be enabled for compatible cards, passes, and keys, and that some eligible items may be turned on by default. A reader who does not need Express Transit or similar fast access features should review whether those settings are necessary.

This does not mean every user should disable every convenience feature. Some people rely on transit cards, payment cards, digital keys, or workplace access passes. The point is to align the enabled features with real use, rather than leaving all possible services active by default without review.

This is also not a permanent checklist. Phone features, wallet behaviour, network rules, and platform defaults can change over time. Settings should therefore be reviewed periodically as part of a wider layered security approach.

An RFID or NFC blocking card kept in a wallet may be useful in a limited and practical sense. It may help reduce unwanted reading of physical contactless cards stored in the same wallet, depending on the wallet layout, card positioning, and how well the shielding works in practice.

However, it is important not to overstate what this kind of product achieves. A blocking card does not redesign the payment logic of a phone, does not change Wallet or Express Mode behaviour, and does not solve a protocol or trust boundary issue in a phone based payment flow. In other words, it may be a reasonable physical precaution for contactless cards in a wallet, but it is not a complete answer to phone based contactless risk.

That is why physical shielding and configuration review should be thought of as different layers. One may reduce some exposure for physical cards. The other helps reduce unnecessary exposure on the phone itself. Neither should be described as a guaranteed solution.

Not on its own. NFC is only the short range communication method. The real security outcome depends on how payment apps, wallet features, device settings, card network rules, and reader behaviour are implemented.

No. The strongest documented issue reviewed here is specific to certain conditions rather than all devices and all cards. The public research and related reporting point to a particular combination involving iPhone behaviour and Visa under Express Transit related conditions.

Not necessarily. If a person uses contactless payments, digital keys, tags, or hardware tokens regularly, always keeping NFC off may be inconvenient. A better principle is to enable what is genuinely needed and review whether unused services should remain active.

The reviewed material does not point to a simple universal NFC off switch on iPhone in the same way many Android devices provide one. In practice, iPhone users usually need to review Wallet cards, Express Mode settings, and certain app or feature level NFC behaviours instead.

Some third party guidance also states that newer iPhones keep NFC available by design, but the more practical point for most users is that NFC related behaviour is usually managed through features and settings rather than through one main off switch.

Express Mode is an Apple Wallet feature that allows some compatible transit cards, payment cards, passes, and keys to work without waking or unlocking the device, or authenticating with Face ID, Touch ID, or a passcode. It matters because it changes the normal expectation that the phone must always be unlocked before a relevant NFC action takes place.

No. A blocking card may help reduce unwanted reading of physical contactless cards in some cases, but it does not change phone payment logic, Wallet configuration, or Express Mode behaviour.

Not in the simplistic way many short articles suggest. The stronger documented issue reviewed here depends on a specific attack chain and specific payment behaviour, not just a quick accidental brush past in a crowd.

Not by default. The more reasonable approach is to review whether the wallet setup reflects real use. If a reader does not need Express Transit or does not want a particular payment card enabled in that role, that is worth reviewing. If the wallet is actively used for normal daily payments, the decision becomes a balance between convenience and exposure.

This page is based on a review of academic, university, platform, and practical support material relating to NFC, contactless payment behaviour, and Wallet configuration. Useful external references include the Apple support pages on Express Mode and Express Cards with power reserve, the original university linked vulnerability reporting, and the Veritasium video demonstration of the locked iPhone and Visa issue.

For anyone who wants to review the underlying platform behaviour and public reporting in more detail, the following resources are useful:

• Apple Support: Use Express Mode with transit cards, passes, and keys in Apple Wallet
• Apple Platform Security: Express Cards with power reserve
• University of Birmingham: Visa and Apple Pay vulnerabilities leaves iPhone users open to payment fraud
• Veritasium video demonstration of the locked iPhone and Visa issue
• Yubico Support: How to disable the NFC tag pop-up in iOS

This guide forms part of a broader layered security approach. For structured guidance on security and resilience planning, see our Security and Resilience page.

For information about practical implementation and ongoing support, you can review our IT services and local IT support coverage across London, Hertfordshire, and Essex.

Return to all guides

Author
Elías Sánchez
IT Support Consultant
Evening Computing
London, United Kingdom

This guide was prepared by Elías Sánchez with research and drafting assistance from AI tools. All technical content has been reviewed and adapted for clarity and accuracy.

Last reviewed
17 April 2026