Cloudmark’s 2015 security predictions included, “As mobile payment systems become more mainstream, they will come under attack from cyber criminals”. It came as no surprise to us to see a report that Apple Pay is now a vector for credit card fraud. The scammers are not compromising existing Apple Pay accounts – so far nobody has cracked fingerprint validation. However, they are using a new iPhone and stolen credit card information to sign up for new accounts. Ironically, Apple is also one of the victims of this attack. The fake accounts are frequently used in Apple stores, as they accept Apple Pay and sell high value goods that are easy to resell.
When a credit card is added to a new Apple Pay account, Apple passes that request to the issuing bank, along with some metadata such as the device location and age of the associated iTunes account. It is then up to the bank to validate the request by whatever means they deem appropriate. Apparently, some are not being very rigorous about this, and even for sign ups that are flagged as suspect they are only requiring confirmation of the last four digits of the owners SSN – information readily and cheaply available from underground cybercrime services. Apple may deny responsibility for this attack and put the blame on the banks, but they cannot avoid all responsibility. They should not have delegated the security of signing up for their payments system to third parties who may not have the same security objectives.
There is a big difference in the security required for an account that is used purchase $0.99 songs on iTunes and an account used to make four figures purchases or protect intimate photos intended only for the eyes of a friend or lover. The more services available using a particular set of credentials, the more attractive those credentials are for compromise or forgery. The security around Apple accounts has not kept pace with the growth of services that Apple provides.
To protect against being a victim of this attack, take the usual precautions to against credit card fraud:
- Use a credit card rather than a debit card when shopping, so that if your card is compromised you don’t also have to deal with an empty bank account.
- If available as an option turn on dual factor authentication on all financial accounts.
- Check your credit card bill carefully for unexpected payments.
- Don’t give your credit card number or social security number (even the last four digits) to anyone unless you are sure you are dealing with a reputable company.