Apple Pay Under Attack

Cloudmark’s 2015 security predictions included, “As mobile payment systems become more mainstream, they will come under attack from cyber criminals”. It came as no surprise to us to see a report that Apple Pay is now a vector for credit card fraud. The scammers are not compromising existing Apple Pay accounts – so far nobody has cracked fingerprint validation. However, they are using a new iPhone and stolen credit card information to sign up for new accounts. Ironically, Apple is also one of the victims of this attack. The fake accounts are frequently used in Apple stores, as they accept Apple Pay and sell high value goods that are easy to resell.

When a credit card is added to a new Apple Pay account, Apple passes that request to the issuing bank, along with some metadata such as the device location and age of the associated iTunes account. It is then up to the bank to validate the request by whatever means they deem appropriate. Apparently, some are not being very rigorous about this, and even for sign ups that are flagged as suspect they are only requiring confirmation of the last four digits of the owners SSN – information readily and cheaply available from underground cybercrime services. Apple may deny responsibility for this attack and put the blame on the banks, but they cannot avoid all responsibility. They should not have delegated the security of signing up for their payments system to third parties who may not have the same security objectives.

There is a big difference in the security required for an account that is used purchase $0.99 songs on iTunes and an account used to make four figures purchases or protect intimate photos intended only for the eyes of a friend or lover. The more services available using a particular set of credentials, the more attractive those credentials are for compromise or forgery. The security around Apple accounts has not kept pace with the growth of services that Apple provides.

To protect against being a victim of this attack, take the usual precautions to against credit card fraud:

  • Use a credit card rather than a debit card when shopping, so that if your card is compromised you don’t also have to deal with an empty bank account.
  • If available as an option turn on dual factor authentication on all financial accounts.
  • Check your credit card bill carefully for unexpected payments.
  • Don’t give your credit card number or social security number (even the last four digits) to anyone unless you are sure you are dealing with a reputable company.

3 thoughts on “Apple Pay Under Attack”

  1. How can you say that Apple shares the blame when the Banks are the organisation that authorises the payment and are the organisation that authorises the card.

    Apple purely passes on the information leaving it to the bank to process. Its the Bank RESPONSIBILITY to ensure that the appropriate checks are taken before AUTHORISING the card on Apple Pay.

    If the Banks require more information then they can either demand it of Apple or require the customer to call their call centre so that REAL validation can occur. However if you dig into this story some Banks are requiring the customer to call and then they are not doing proper validation checks and the fraud continues.

    The Banks need to be held accountable.

    The Banks are too cheap and lazy to put the correct processes in place as it, one might mean they loose some business, two it means increasing the rigour’s of processes within the authorisation process.

    You might want to look up role based security in an application context, which Apple pay is, its a distributed Application architecture with responsibilities ultimately lying with the Bank as thats who’s insurance pays the fraud costs.

    For a security company I would have expected a view that clearly understands the roles and responsibilities with each actor in the Apple pay process.

  2. Shane, in order to guarantee the security of the Apple Pay system, someone has to ensure that the owner of the iPhone and Apple account is the same person as the owner of the credit card. The banks are not in any position to determine the owner of the Apple account, only Apple can do that.

  3. Andrew is right. Apple is doing the verification part. The bank cant see who is doing the transfer. If Apple allows users to use different creditcards than their own (or at least makes it too easy for them) this is Apple´s responsibility.

Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2017 Cloudmark, Inc.