PSA | Criminals Are Using Apple Pay to Go on Shopping Sprees with Stolen Credit Cards More Easily Than Ever

Criminals have discovered that Apple Pay is one of the easiest ways to use stolen credit card information, thanks to the ease of duping unsuspecting customers into handing over their confirmation codes.

According to a new report from Vice, criminals are using the convenience and relative anonymity of Apple Pay as a shield to “go on spending sprees with stolen credit and debit card numbers.”

One fraudster even described Apple Pay as “the easiest way to make money” now that hackers have developed and distributed a tool designed to steal victims’ multi-factor authentication tokens.

When you add a new credit or debit card to Apple Pay, the iPhone Wallet app walks you through a verification process to confirm that the card belongs to you. The banks manage this process entirely, so it can differ significantly depending on what company issued your card.

In many cases, this involves receiving a text message, phone call, or email with a confirmation code. The customer then enters that confirmation code directly into the Wallet app, and the card is activated for use.

However, as Vice reports, criminals have taken to using bots specifically designed to steal these codes, making it nearly effortless for them to get cards activated on Apple Pay.

Instead of calling a potential victim directly and trying to “social engineer” their code from them, these bots use text-to-speech scripts with a proven track record.

For example, the bot might call up the victim with what appears to be an automated system from their bank, telling them that a problem has been detected with their account. The person is then asked to enter the code that the bank has sent to their mobile device via text message.

In audio of one bot call obtained by Motherboard, the bot pretended to be an automated system from PayPal that was helping to secure the victim’s account. In the call, the computerized voice said that “In order to secure your account, please enter the code we have sent your mobile device now.” Vice

A bot like this would be used when the criminal adds a stolen card to Apple Pay that triggers a text message from the victim’s bank. The unsuspecting person receiving the call may assume that the text message was generated for another reason and supply the code without realizing that they’re giving away their credit card information.

This trick won’t work for all credit and debit cards since some banks use other verification methods that are considerably more secure. However, Vice found photos uploaded to Telegram by the bot administrators that showed that Wells Fargo and Chase cards could be successfully added to Apple Pay using these methods.

What makes this so appealing to crooks is that Apple Pay requires almost no additional verification at the point of sale. Physical credit and debit cards are much higher risk as they often require that the user enter a PIN into the terminal or hand the physical card over to a cashier who could check the name and become suspicious if it doesn’t match the person holding the card. They could then, in turn, ask to see identification.

None of this happens when using Apple Pay since, presumably, the iPhone’s Touch ID or Face ID authentication is sufficient to verify the transaction. The cashier doesn’t see a name, and in most cases, a signature or PIN is not required.

Unfortunately, as this report reveals, the weak link is the process by which a card is added to Apple Pay in the first place.

How to Protect Yourself

This is not a security failure on Apple’s part or even that of the banks and card issuers.

A criminal who has obtained stolen credit card information must still go through the same process that a legitimate cardholder does to add that card to Apple Pay. Nobody has found a way to hack or bypass that process.

This is entirely what’s known as a “social engineering” attack. It relies entirely on deceiving potential victims into giving up their verification codes too easily.

What makes it lucrative for the scammers — and dangerous for everyone else — is that these new automated bots allow hundreds of potential victims to be contacted more quickly and effortlessly than ever before.

Fortunately, there are a few simple steps you can take to protect yourself from such scams:

1. Don’t give out verification codes to somebody who calls you on the phone, no matter who they claim to be. If necessary, offer to call the person back — but only at a legitimate and published number for the organization they’re calling from.
2. Don’t call an unknown phone number to provide verification codes. When in doubt, look up the legitimate number for your bank or credit card company and call them directly.
3. Don’t click links in text messages unless you are absolutely certain that the message is from a legitimate source.
4. Verification codes are never sent randomly. If you receive a verification code that you haven’t done anything to trigger, assume that it results from somebody trying to hack into your account. Do not give that information out to anybody.
5. A verification code is never necessary to “further secure your account.” If you’re concerned about the security of an online account, change your password; if you’re worried about the safety of your credit or debit card, contact your bank or card issuer directly.
   

The good news is that many credit and debit cards rely on much more secure verification methods before they can be enrolled in Apple Pay. Some can only be added through the bank’s iOS app, which requires that you be able to log into your account first. Others require that you place a call to an actual human being and verify your account information, after which they flip a switch on their end to activate the card remotely.

This kind of criminal activity also explains why Apple is ramping up its fraud protections in Apple Pay. Tracking details such as the location of transactions can ensure that even if a scammer does manage to get one of your payment cards added to their iPhone, it will quickly get flagged as fraudulent since it’s unlikely the thief will be using it anywhere near your current location.