Our Blog

Apple Pay fraud issues reveal new approach

A company is only as strong as its weakest link. Apple discovered the truth to this maxim last week when details of the first major Apple Pay fraud were revealed. This was a systems failure, not a product failure, but it has revealed a new type of payment fraud: a fusion of offline and online.

Apple Pay has been lauded as being the payment solution to merge offline and online commerce, while also improving payment security. Well, now we know that it inadvertently offers the same opportunities for those seeking the perfect fusion of offline and online payment fraud.

Apple Pay fraud

The Apple Pay platform was not compromised by the fraudulent activities uncovered in early March – no card information was siphoned from existing Apple Pay accounts. It was the bank-side process of verifying new Apple Pay cards that let the ‘system’ down.

Cherian Abraham’s DROP LABS blog post exposed this faultline and alerted the payments world to the identify-theft fraud, involving the poor verification on the bank side of new Apple Pay cards.

In a payments world that has increasingly become Apple vs Android, Abraham is deemed to be in the Android camp. He is currently working with SimplyTapp, Modo Payments and Experian Decision Analytics. He has been criticised by Apple-centric websites (such as appleinsider) for revealing the identity theft fraud.  However, no matter the source of this particular breach the dam needed to be plugged (and quickly).

Apple and it’s associated banks should be thanking Abraham for bringing this issue to the fore. Your opponents will target your weakest link but longer term this will only benefit the Apple Pay ‘system’.

So, what actually happened?

There was an error in how certain banks verified the card details of ‘new’ Apple Pay cards. There are four options available to banks for the verification of Apple Pay cards:

1. Text message

2. Email

3. Customer service call

4. Approved third-party app

In this case it was option three – the customer service call – that proved to be the weakest link. Some banks just asked callers for the last four digits of  their social security number – a number easily available to fraudsters. This was treated as the verification for the Apple Pay card..

The banks in question were simply following Apple’s own iOS security guide (page 24), which includes the following on the verification process: “A bank can decide whether a credit or debit card requires additional verification. Depending on what is offered by the card issuer, the user may be able to choose between different options for additional verification, such as a text message, email, customer service call, or a method in an approved third-party app to complete the verification. For text messages or email, the user selects from contact information the bank has on file. A code will be sent, which the user will need to enter into Passbook. For customer service or verification using an app, the bank performs their own communication process.”

The last line is the weak link, enabling the recent identity-theft fraud.  In this regard Apple Pay could only be as strong as the weakest link and the verification process of certain banks proved to be extremely weak.

The criminals with the compromised card details used the customer service option to easily link stolen card card information with iTunes accounts and perpetrate the recent fraudulent activity.

The key is that Apple’s own security guidelines facilitated this process but did the banks take a lax approach; did the call centres fail; or was it simply individual call centre customer service operators who failed with key questions. That’s micro blaming, and doesn’t solve the issue.

An Apple spokesperson told The Verge website that “Apple Pay is designed to be extremely secure and protect a user’s personal information. During setup Apple Pay requires banks to verify each and every card, and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.”

Indeed the Wall Street Journal reported that some of the card information used in the recent Apple Pay fraud episodes were compromised in the late 2013 Target data breach and last year’s Home Depot hack.

A new type of payment fraud emerges

But here’s the most interesting part: most of the recent fraudulent activity targeted Apple’s own retail stores. To this end the criminals’ plan was simple: the targeted stores accepted Apple Pay and were a source of valuable high-end products (e.g. MacBook Pro Retinas, Macs, etc.) that could be purchased and resold for cash.

This is the development that worries online security expert Brian Krebs: cyber thieves can now use ‘online’ identities to commit fraud in bricks-and-mortar stores.

In subsequent blog post Krebs outlined how Apple Pay has effectively united online and POS fraud. Previously, fraudsters would need mag stripe card data dumps and POS malware to commit in-store fraud. Online they would need to steal CVVs (card verification codes), but now all they need for both attacks is an iTunes account – Apple Pay is the gateway.

Krebs adds that “there is a robust trade in the cybercrime underground for hijacked iTunes accounts, which retail for about $8 per account.”

Krebs continued: “The irony here is that while Apple Pay has been touted as a more secure alternative to paying with a credit card, the way Apple and the banks have implemented it actually makes card fraud cheaper and easier for fraudsters.”

Chilling words from a man renowned for his work in the online security industry.

Apple Pay fraud was not such a surprise

Trumpet at the ready, and  . . . blow. Allow us, for a moment, to indulge ourselves.

We penned a blog post after the launch of Apple Pay, raising concerns over the potential ease of fraud via iTunes. We had this to say at the time (October 2014):

“People should not overlook the potential for fraudulent use of stolen card numbers via Apple Pay. Let’s play Devil’s advocate.

Pre-Apple Pay, an Apple customer simple input their credit card details into iTunes and set up their account. These iTunes details are then stored by Apple, protected by a user’s Apple ID which uses their email address and password. There is also an optional second level of protection which involves setting up your iTunes account so that a four-digit password is used for every transaction. It is unclear how many iTunes users have implemented this second level protection.

With the launch of Apple Pay in the U.S. the 800 million+ existing iTunes accounts are suddenly much more attractive to potential cyber thieves. These iTunes accounts are automatically usable with Apple Pay – users just add them (by inserting their card security code) to their iPhone Passbook app. This makes sense, of course. This treasure trove of data allows Apple to instantly hurdle consumer adoption – it gives them a priceless head-start in the m-payments market.”

These concerns have come to pass. The initial clamour to herald Apple Pay as the solution to all our payment security concerns was always hype. Without a co-ordinated approach to payment security from all stakeholders – payment providers, issuers, acquirers, and mobile network operators – systematic cracks will remain. And it’s within these nooks that the fraudsters thrive, capitalising on poor guidelines; a lax approach to verifications, and security implementation failures.

Contact us

For more information on our products and services contact us at info@aviso.io, or follow us on Twitter and LinkedIn.

Related posts