Express Transit works for specific services, like ticket gates, with card readers that send a non-standard sequence of bytes that bypass the Apple Pay lock screen.

In combination with a Visa card, “this feature can be leveraged to bypass the Apple Pay lock screen, and illicitly pay from a locked iPhone, using a Visa card, to any EMV reader, for any amount, without user authorisation.”

The researchers were able to emulate a ticket-barrier transaction by using a Proxmark device acting as a card reader communicating with the target iPhone and an Android phone with an NFC chip that communicated with a payment terminal.

[...] “The attack works by first replaying the Magic Bytes to the iPhone, such that it believes the transaction is happening with a transport EMV reader. Secondly, while relaying the EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, need to be modified such that the bits (flags) for Offline Data Authentication (ODA) for Online Authorizations supported and EMV mode supported are set.”

[...] Digging deeper into the issue, the researcher discovered that they could modify the Card Transaction Qualifiers (CTQ) responsible for setting contactless transactions limits.

This modification is to trick the card reader that the authentication step on the mobile device has been completed successfully. During the experiment, the researchers were able to make a GBP 1,000 transaction from a locked iPhone. They tested the attack successfully on iPhone 7 and iPhone 12.