The Fraud Blog with Tracy Kitten

How Apple Pay Is Exploited for Fraud

Fraudsters Are Using Telephone Number 'Porting'
How Apple Pay Is Exploited for Fraud

Although Apple Pay initially gained attention for its potential to improve the security of mobile payments - thanks to its use of EMV and built-in tokenization - other security shortcomings are coming to light.

See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions

The main area of concern is not the technology itself, but the ways in which Apple Pay and banks are authenticating users and verifying payment cards.

In late February, we heard about how criminals were loading stolen credit and debit cards to iPhones for use with Apple Pay accounts (see Apple Pay: Fraudsters Exploit Authentication).

If the number is ported or the call is forwarded, then the criminal obviously gets the message and can continue with their criminal activities 

Now we're hearing about how criminals are exploiting device identification measures and out-of-band authentication methods used by banks to verify new Apple Pay accounts.

When a user sets up an Apple Pay account, he or she can choose to be authenticated with a verification code that is sent via text to the phone. But criminals are now exploiting this out-of-band authentication method by "porting" over or transferring landline numbers from unsuspecting victims to mobile phones the criminals possess.

And because so many people have landline numbers they rarely use, it's proven to be an easy scam for criminals. That's because consumers might not notice right away, for example, that their landline is not getting calls anymore.

Evidently, telephone companies and mobile carriers don't ask too many questions when a user asks to have a number ported over, so anybody can port over another person's number with relative ease, I'm told by security experts who now are tracking the problem.

So, the criminals can set up an Apple Pay account under the name of the user who actually owns the ported telephone number. Criminals then could use stolen card data to load into Apple Pay.

Phone Number Porting

Telephone number porting for nefarious purposes has been around a long time, say industry analysts Avivah Litan and Al Pascual. Fraudsters are just re-applying old tricks to a new channel, they say.

"Number porting and call forwarding has been around for years and are used by the criminals to take over all kinds of accounts," says Litan, a fraud expert at the consultancy Gartner.

Banking institutions often send text messages or place phone calls to account holders' mobile phones to verify transactions and payments. In most cases, this verification involves the transfer of a one-time password that the user must send back through a browser, Litan explains.

"If the number is ported or the call is forwarded, then the criminal obviously gets the message and can continue with their criminal activities," she says.

Banks can implement more reliable authentication methods, such as biometrics, but users have to enroll first, Litan says.

"After credit card accounts and DDAs [demand deposit accounts], phone accounts are the most likely to be affected by account takeovers, because of their role in out-of-band authentication for financial accounts, which has made them valuable targets for fraudsters," says Pascual, a fraud expert at the consultancy Javelin Strategy & Research. "It is certainly another example of how vulnerable the solution is to fraud, as a result of poorly conceived account holder verification protocols. Relying on calls to landlines to validate the identity of an Apple Pay user is tantamount to using freight lines from the 1800s for a bullet train. Something has got to give."

I've been hearing much more about phone-porting for the exploit of Apple Pay. Banks will need to develop strategies now to ensure they're authenticating users through additional means.

Banking institutions have to get away from user-based authentication and rely more heavily on behavioral analytics to verify users, their devices and their accounts. For example, if banks could get more information about the numbers affiliated with their accountholders, they could ask for more data from the telephone and mobile carriers about the user's activity history on that line, or be alerted when numbers are ported.

Security provider Neustar, which has been closely analyzing phone-porting risks associated with Apple Pay, says fraudsters are increasingly stealing and using victims' phone numbers to have passwords reset as well. With social media mining, out-of-wallet authentication questions, such as name of first pet, as a fraud defense also have lost effectiveness. This is why real-time, authoritative data that has a direct linkage to the owner of the information is so imperative, Neustar says.

In the coming months, the authentication issue is going to become even more critical as the migration to EMV ramps up and issuers and retailers search for ways to ensure there are preparing for the migration of fraud to other channels.

Jeremy King, international director of the PCI Security Standards Council, touched on this issue last week in an interview I conducted with him about how issuers and retailers should be bracing now for new types of payments attacks.

"Globally, where EMV chips have been rolled out, we have seen a drop in face-to-face [card-present] fraud ... but the chip is not beneficial for the card-not-present space," King says. "In those situations, it is imperative that merchants adopt the PCI Data Security Standard to protect all cardholder data through the backend systems."

Do you see phone-porting as a growing concern and a risk for standard out-of-band authentication practices? If so, is your institution moving away from these types of authentication methods and moving toward back-end analytics that remove user involvement? I encourage you to post your comments below.

Apple Pay security vulnerabilities, and other emerging payment fraud concerns, will be key topics I and others will discuss next week at Information Security Media Group's Fraud Summit Chicago. I invite you to join us on May 19.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.