The most worrisome point of vulnerability in an Apple Pay transaction, however, is the NFC transmission itself. Bestuzhev said that NFC transmissions are just like any other data transfer. “It sends and receives information which can be intercepted, he said.
This has been proven. A couple of years ago a former NSA analyst turned white hat hacker found a couple of really serious vulnerabilities in the NFC system. At the Black Hat conference, he demonstrated to a live audience how he could hijack an NFC-enabled device by simply waving a tag with an embedded NFC chip inside of it. The same kind of tag could also be used to send someone’s browser to a URL address, perhaps one that downloads malware onto the phone.
These aren’t problems specific to Apple Pay; you run the same risk with Google Wallet, Softcard, or any other mobile payment plan that relies on NFC. And while Apple has taken some steps to protect against that—including assigning unique codes to every transaction—there’s only so much you can do when the fundamental technology is vulnerable.