Apple Pay a haven for 'rampant' credit card fraud, say experts

Lax security controls fingered

Apple and its banker pals may have inadvertently lowered the barrier to credit card fraud by adding pay-by-wave technology to iPhones, security experts fear.

Payment cards can be added to Apple Pay by taking a photo of the card, and allowing a device to run optical character recognition over the image to fill out the long card number, expiry dates and other details. These numbers can be entered manually, so physical access to a card is not needed.

After a credit or debit card is added to an iPhone's Apple Pay, the details are encrypted and sent to banks along with records on the user's iTunes account activity, transaction history and physical whereabouts, as explained in its Apple Pay support page here.

These records are used by banks to decided whether to approve adding a card to Apple Pay or to request further checks over a followup phone call. The aim is to weed out people adding stolen cards to Apple Pay.

The issue is that some US banks have made this verification easier than it ought to be by only asking callers to prove their identity using the last four digits of their social security number.

Social security numbers are not particularly hard for hackers to obtain, and evidence is emerging that the whole setup makes it easier for crims to rack up fraudulent bills on Apple Pay than by traditional plastic theft.

Imagine a hacker with his or her hands on a database dump of credit card and social security numbers. Adding these to Apple Pay to spend on stuff is too easy, we're told.

Journalist Charles Arthur reports that total losses are already running into millions of dollars, and are far higher than expected as about two million Americans using the payment system.

"The crooks have not broken the secure encryption around Apple Pay’s fingerprint-activated wireless payment mechanism. Instead, they are setting up new iPhones with stolen personal information, and then calling banks to 'provision' the victim’s card on the phone to use it to buy goods," Arthur wrote in the pages of The Guardian.

It is lax customer verification controls by banks rather than any inherent security weaknesses with Apply Pay that is creating a boon for ID fraudsters, Apple Insider notes.

Cherian Abraham, a mobile payments specialist, warns that fraud enabled by Apple Pay is "rampant" with Apple Stores among the most frequent scam targets. Criminal gangs are handing smartphones to low-ranking members who use them to commit fraud, so it could be that crooks are buying high-end iPhones with embedded payment features in order to further the fraud.

"Tokenization, on-device secure storage and biometrics separately and together are formidable, but the soft underbelly proved to be provisioning of cards into AP [Apple Pay]," Abraham writes on the Drop Labs blog.

Payments expert Avivah Litan of analyst house Gartner independently warned that Apple Pay fraud is "running rampant."

"The bad guys are loading iPhones with stolen card-not-present card information (which is much easier to steal than card present magstripe data) and essentially turning that data into a physical card à la ApplePay," Litan writes.

"The banker speaking about this topic at the conference insightfully pointed out that this scheme was enabling the fraudsters to bridge the CNP (card not present) world with the CP (card present) world. Now they don’t have to even bother with their elaborate infiltrations of large retail chains like Target and Home Depot. They can just steal or buy cheaper CNP card data used for ecommerce transactions and load that data onto a smartphone, thereby transforming the CNP data into a counterfeit physical card used to commit more lucrative CP fraud."

Litan warns that Samsung/LoopPay and MCX/CurrentC (supported by Walmart, BestBuy and other major US retailers) are likely to face exactly the same problems in rolling out contactless payment system as Apple Pay unless banks tighten up their controls. ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Walmart accused of turning blind eye to transfer fraud totaling millions of dollars
    Store giant brands watchdog's lawsuit 'factually misguided, legally flawed'

    America's Federal Trade Commission has sued Walmart, claiming it turned a blind eye to fraudsters using its money transfer services to con folks out of "hundreds of millions of dollars."

    In a lawsuit [PDF] filed Tuesday, the regulator claimed the superstore giant is "well aware" of telemarketing fraudsters and other scammers convincing victims to part with their hard-earned cash via its services, with the money being funneled to domestic and international crime rings.

    Walmart is accused of allowing these fraudulent money transfers to continue, failing to warn people to be on their guard, and failing to adopt policies and train employees on how to prevent these types of hustles.

    Continue reading
  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading

Biting the hand that feeds IT © 1998–2022