How Apple Pay Is Exploited for FraudFraudsters Are Using Telephone Number 'Porting'
Although Apple Pay initially gained attention for its potential to improve the security of mobile payments - thanks to its use of EMV and built-in tokenization - other security shortcomings are coming to light.authenticating users and verifying payment cards.
In late February, we heard about how criminals were loading stolen credit and debit cards to iPhones for use with Apple Pay accounts (see Apple Pay: Fraudsters Exploit Authentication).
If the number is ported or the call is forwarded, then the criminal obviously gets the message and can continue with their criminal activities
Now we're hearing about how criminals are exploiting device identification measures and out-of-band authentication methods used by banks to verify new Apple Pay accounts.
When a user sets up an Apple Pay account, he or she can choose to be authenticated with a verification code that is sent via text to the phone. But criminals are now exploiting this out-of-band authentication method by "porting" over or transferring landline numbers from unsuspecting victims to mobile phones the criminals possess.
And because so many people have landline numbers they rarely use, it's proven to be an easy scam for criminals. That's because consumers might not notice right away, for example, that their landline is not getting calls anymore.
Evidently, telephone companies and mobile carriers don't ask too many questions when a user asks to have a number ported over, so anybody can port over another person's number with relative ease, I'm told by security experts who now are tracking the problem.
So, the criminals can set up an Apple Pay account under the name of the user who actually owns the ported telephone number. Criminals then could use stolen card data to load into Apple Pay.
Phone Number Porting
"Number porting and call forwarding has been around for years and are used by the criminals to take over all kinds of accounts," says Litan, a fraud expert at the consultancy Gartner.
Banking institutions often send text messages or place phone calls to account holders' mobile phones to verify transactions and payments. In most cases, this verification involves the transfer of a one-time password that the user must send back through a browser, Litan explains.
"If the number is ported or the call is forwarded, then the criminal obviously gets the message and can continue with their criminal activities," she says.
Banks can implement more reliable authentication methods, such as biometrics, but users have to enroll first, Litan says.
"After credit card accounts and DDAs [demand deposit accounts], phone accounts are the most likely to be affected by account takeovers, because of their role in out-of-band authentication for financial accounts, which has made them valuable targets for fraudsters," says Pascual, a fraud expert at the consultancy Javelin Strategy & Research. "It is certainly another example of how vulnerable the solution is to fraud, as a result of poorly conceived account holder verification protocols. Relying on calls to landlines to validate the identity of an Apple Pay user is tantamount to using freight lines from the 1800s for a bullet train. Something has got to give."
I've been hearing much more about phone-porting for the exploit of Apple Pay. Banks will need to develop strategies now to ensure they're authenticating users through additional means.
Banking institutions have to get away from user-based authentication and rely more heavily on behavioral analytics to verify users, their devices and their accounts. For example, if banks could get more information about the numbers affiliated with their accountholders, they could ask for more data from the telephone and mobile carriers about the user's activity history on that line, or be alerted when numbers are ported.
Security provider Neustar, which has been closely analyzing phone-porting risks associated with Apple Pay, says fraudsters are increasingly stealing and using victims' phone numbers to have passwords reset as well. With social media mining, out-of-wallet authentication questions, such as name of first pet, as a fraud defense also have lost effectiveness. This is why real-time, authoritative data that has a direct linkage to the owner of the information is so imperative, Neustar says.
In the coming months, the authentication issue is going to become even more critical as the migration to EMV ramps up and issuers and retailers search for ways to ensure there are preparing for the migration of fraud to other channels.
Jeremy King, international director of the PCI Security Standards Council, touched on this issue last week in an interview I conducted with him about how issuers and retailers should be bracing now for new types of payments attacks.
"Globally, where EMV chips have been rolled out, we have seen a drop in face-to-face [card-present] fraud ... but the chip is not beneficial for the card-not-present space," King says. "In those situations, it is imperative that merchants adopt the PCI Data Security Standard to protect all cardholder data through the backend systems."
Do you see phone-porting as a growing concern and a risk for standard out-of-band authentication practices? If so, is your institution moving away from these types of authentication methods and moving toward back-end analytics that remove user involvement? I encourage you to post your comments below.
Apple Pay security vulnerabilities, and other emerging payment fraud concerns, will be key topics I and others will discuss next week at Information Security Media Group's Fraud Summit Chicago. I invite you to join us on May 19.