Fraud , Mobility , Payments Fraud

Apple Pay: Fraudsters Exploit Authentication

Mobile a Breeding Ground for Counterfeit Card Fraud
Apple Pay: Fraudsters Exploit Authentication

New exploits linked to Apple Pay are quickly proving how easy it is for crafty fraudsters to take advantage of even the most seemingly secure payments systems.

See Also: The Inconvenient Truth About API Security

The problem apparently is linked not to a compromise of the mobile device's security, but to lax authentication practices used by the banking institutions to verify cards that are loaded to the iPhone for Apple Pay purchases.

Payments and security experts say fraud has resulted from some early Apple Pay transactions, although no banks contacted by Information Security Media Group would comment for attribution. One executive with a mid-tier institution on the West Coast that just launched Apple Pay last month, who asked to remain anonymous, says issuers have been talking about fraud levels as high as 6 percent - the equivalent to millions of dollars in fraudulent transactions.

That 6 percent fraud figure also has been cited by DROP Labs, a mobile payments and e-commerce strategy and advisory firm, which does not say how it determined that figure. By comparison, average losses for fraudulent credit card transactions typically fall below 1 percent, industry experts say.

In January, DROP Labs was among the first to report fraudsters had successfully used Apple Pay as a conduit for transactions using counterfeit cards. While Apple Pay's inherent security mechanisms, such as tokenization and TouchID biometric authentication, had not been compromised, the tools and practices used to verify accountholders and the cards being loaded to i-devices appeared to be the weak link, DROP Labs noted.

Call Center Authentication Too Weak

DROP Labs found that most banking institutions were verifying users and cards over the phone, which has made social engineering far too easy for criminals, says the West Coast bank executive.

"Some channels are just more secure than others," the executive said. "For the call center, it's important to let staff know there are certain triggers that callers say that let you know they might be trying to load a card on Apple that is counterfeit. So, we've been concentrating on training."

The bank also has routed calls related to Apple Pay to specific departments to help detect possible fraudulent activity sooner, the executive says.

"The industry is learning more about it, and Apple is learning, too," the executive says. "Before, with a card-present transaction, you had to counterfeit the card on a mag-stripe; now with Apple Pay, this is different. You don't need the mag-stripe to put a card on your iPhone.

John Buzzard, who heads up FICO's Card Alert Service, says most of the information fraudsters need to authenticate themselves and verify counterfeit cards can easily be obtained via phishing.

"I have heard that Apple Pay has been used as a means for fraudsters to just enter a series of card numbers into their device and then proceed with fraud," Buzzard says. "But in order to do this, you would have to at least have some general information about the cardholder. Almost everything could be phished, such as card number, expiration, CV2 [card verification code] off the back of card, ZIP code, and first and last name."

Buzzard, who recently blogged about steps institutions should take to mitigate risks associated with Apple Pay scams, says as more banks and credit unions adopt Apple Pay, fraudsters will increasingly target weaknesses that institutions and Apple Pay have not anticipated.

FICO found that of the nearly 200 banks and credit unions it survey earlier this year, more than half had either already implemented Apple Pay or had plans to implement it sometime this year.

'Is your financial institution currently participating in Apple Pay?'

To reduce risk in advance, Buzzard recommends that banks and credit unions require their customers to set up Apple Pay through their online banking accounts, rather than over the phone. "You should also permit your customers to de-select Apple Pay as an option if they decide to suspend this payment option indefinitely," he says.

Jeff Man, security strategist and evangelist at network monitoring specialist Tenable Network Security, says banks and credit unions should put pressure on Apple to have its payment instrument independently tested and evaluated from a security perspective. "Consumers should be made aware of the risks associated with using untested solutions where only the vendor claims 'we use secure technology.'"

Fraudsters Take Advantage

Fraud expert Avivah Litan, an analyst at the consultancy Gartner, says Apple Pay has unknowingly bridged the gap between card-present and card-not-present transactions, which is benefiting fraudsters. She blogged about some of Apple Pay's shortcomings in a March 2 blog.

"Now they [hackers] don't have to even bother with their elaborate infiltrations of large retail chains like Target and Home Depot," Litan says. "They can just steal or buy cheaper CNP card data used for e-commerce transactions, and by loading that onto a smartphone, they successfully transform that CNP data into [the equivalent of] a counterfeit physical card used to commit more lucrative CP fraud."

Litan also notes: "The responsibility ultimately lies with the card issuer, who must be able to prove the ApplePay cardholder is, indeed, a legitimate customer."

Verifiying identity outside of a face-to-face environment is challenging, she says, and attackers will increasingly exploit lax authentication and verification practices now in place for mobile commerce.

"I participated in the ISMG Fraud Forum last week in Los Angeles, and one of the more interesting things I learned was how rampant ApplePay fraud is," Litan says. "The banks I met at the ISMG Fraud Summit complained that they don't get enough information out of ApplePay to properly support their fraud processes; but if that's the case, they have the right to refuse accepting it."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network