Criminals in the US are using the new Apple Pay mobile payment system to buy high-value goods – often from Apple Stores – with stolen identities and credit card details.
Banks have been caught by surprise by the level of fraud, and the Guardian understands that some are scrambling to ensure that better verification and checking systems are put in place to prevent the problem running out of control, with around two million Americans already using the system.
The crooks have not broken the secure encryption around Apple Pay’s fingerprint-activated wireless payment mechanism. Instead, they are setting up new iPhones with stolen personal information, and then calling banks to ^aEURoeprovision^aEUR the victim’s card on the phone to use it to buy goods.
Criminals, uh, find a way.
“The crooks have not broken the secure encryption around Apple Pay’s fingerprint-activated wireless payment mechanism.”
Banks are so lucky that crooks didn’t watch the 31c3…
Sounds more like the banks are broken in how they authenticate their card holders accounts when being added to apple pay. Interesting how none of the articles on the web focus on that.
No, many of the articles (at least those I’ve read) actually state that, just none of them seem to put that in the headlines.
Sounds to me like typical identity theft and/or bamboozling bank staff like you said, the same thing criminals have been doing even before Apple Pay.
Yes, but having “Apple” in the headline makes more people click.
Abuse of Apple pay: What every analyst of note predicted would happen, and apple said could not happen.
The whole story is Apple click bait rubbish.
Thieves steal credit card details, mostly using social engineering scams and telephones, and then use Apple Pay as a way to utilise the stolen credit card information.
Note that the information was not stolen via the Apple Pay mechanism and that the Apple system itself was not compromised in these crimes. This is about thieves loading previously stolen credit data into an Apple Pay system.
During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. If banks fail to correctly verify the card data that is a weakness of the banks and not of Apple Pay.
From the WSJ article.
“Apple has gone to great lengths to secure Apple Pay. It uses a ^aEURoesecure element^aEUR within the latest iPhones to store the encrypted payment data separate from the rest of phone. It uses a fingerprint reader to assure that the phone^aEURTMs owner is making the purchase and issues a one-time code so merchants don^aEURTMt see customers^aEURTM credit card information.
However, the weakness identified by Abraham occurs at an earlier stage, when a user is adding a credit card to Apple Pay. When a user adds a card, Apple says it sends information such as the type of phone, the last four digits of the user^aEURTMs phone number and the user^aEURTMs general location to the issuing bank, which decides whether to provision the card for Apple Pay.
Banks can ask for additional information if its information doesn^aEURTMt match Apple^aEURTMs. In those cases, a bank may ask a user to call in to answer additional security questions. Abraham says that some banks made it too easy for such customers to be approved, because they wanted to reduce the friction of adding their cards to Apple Pay. For example, he said some banks asked for the last four digits of a customer^aEURTMs Social Security number, which is easy to answer if the fraudster knows that person^aEURTMs credit history or personal information.”
The technologies used to compromise security in these cases was simple stuff like social engineering scams over the phone, or rifling through people’s trash, but a headline saying ‘thieves use telephone to commit fraud’ wouldn’t get anyones attention would it? So a non story – banks get fooled by con artists – turns into a click fest by the insertion of the word ‘Apple’.
Man, fuck Jeff Goldblum.
Amazing though that the criminals can’t even scratch the surface of Chinese online payment systems, I’ve used those systems here for 6 years and never any problem at all.
Home in the USA I had to change bank cards several times a year.
how is the chinese system different from european pin&chip system?
Lorin,
Yea, it’s a fairly regular problem here. It’s just pathetic that with all the crypto tech that’s been developed in the past several decades that we are still resorting to static credit card numbers and even zip codes to authenticate our transactions. Apple pay comes in using legacy magstrip emulation modes for the purpose of backwards compatibility, well of course it’s going to get broken. Nobody should have expected otherwise.
The problem isn’t that we’re unable to develop more secure payment systems, it’s that CC technology in the US is moving with the momentum of a glacier. I wish someone would pay me to engineer a better solution, I’d have the skills to do it
Does this mean that Apple now has all the perps’ fingerprints on file?
The Apple pay could allow trading bigger security and convenience for everyday payments for better security on at the procedure of account creation.
Banks apparently didn’t use that opportunity and left the same old holes just in the different place.
What’s ironic is that creating the apple pay account would probably secure user against this attack vector but articles like this will probably have the reverse effect.