The security expert Cherian Abraham revealed a spike in the fraud on Apple’s mobile payment platform, Apple Pay. The criminals are trying new techniques to compromise the Apple security chain. While the Apple devices and software are relatively secure and difficult to compromise, the crooks are orienting their efforts to hit what is considered the weakest link in the security chain, the humans.
Let’s a analyze the provisioning process for Apple Pay to find flaws. When the process starts, consumers can take an image of their card, allowing the app to scan their credentials. As explained by Abraham, customers can also manually enter the details, this aspect is crucial for the implementation of the fraud scheme.
The overall information, that can include iTunes account (device name, current location, transaction history) and more, are sent to the bank service that can authorize the card for Apple Pay, or require additional information.
Green, yellow and red path.
The cards could be automatically approved or declined, listed respectively under the green or red path. Apple also introduced a third mandatory path, the yellow path, that is used to request further checks to banks and card issuers.
The implementation of the yellow path depends on the specific card issuer, each of them can perform a different number of checks, including a direct contact with personnel of the call center. The use of call centers for additional verification is the elements exploited by criminals for their illegal activities.
In the Apple Pay fraud schema, cyber criminals call the call center to convince the operators to add an Apple device to an account, and ask to activate the Apple Pay. In this way the crooks avoid the checks requested by Apple to the Bank by exploiting the human factor.
“At this point, EVERY issuer in AP has seen significant *ongoing* provisioning fraud via customer account takeover. The levels of fraud has varied since launch, but 600bps is now seen as hardly an anomaly. Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one, is bold enough to call the emperor naked.” explained Abraham in a blog post.
Criminal organizations in the US are using mules to cash-out pre-provisioned Apple Pay devices by acquiring expensive products, including Apple devices.
“These are organized crime rings that are handing out pre-provisioned devices to mules that are then being used to commit fraud – with much of fraud (for some issuers) – occurring around Miami,FL and Dallas,TX. Prepaid cards unsurprisingly are a tool of choice as they can be quickly converted to cash or goods – and subsequently, untraceable. What was surprising to hear was how many times Apple stores themselves popped up as the store of choice for the fraudster – and yet unsurprising, due to its nature as a luxury retailer. There is a certain irony in one compromised Apple Pay device paying for another – only to be drafted subsequently in to the fraudsters service.” the post explained.
The security web portal csoonline.com reported the declaration of John Zurawski, Vice President of marketing at Authentify, regarding the Apple Pay fraud, that confirm thirty percent of cross channel fraud are conducted through social engineering attacks against call center.
“The call center is typically there to resolve an issue – not do any banking. In the Apple Pay fraud discussed, the fraudsters must be calling the call center, convincing someone to add an Apple iPhone 6 or better to an account, and asking to activate Apple Pay. The actual Apple Pay activation is initiated between Apple and the Bank. Apple passes to the Bank a person’s stolen credit card info, including the details backing their iTunes account,” he said.
Cyber criminals use personal information to deceive call center personnel, it is very hard for the operators discover the fraud if the caller use correct information.
In December, Experts at Dell Secure Works Counter Threat Unit (CTU) published a new report on the evolution of the hacking underground market highlighting a growing interest in the personal data, in particular in any kind of documentation that could be used as a second form of authentication, including passports, driver’s licenses, Social Security numbers and even utility bills.
“The markets are booming with counterfeit documents to further enable fraud, including new identity kits, passports, utility bills, social security cards and driver’s licenses.” states the report.
The Apple Pay fraud demonstrates the inadequacy of authentication processes implemented by banks and card issuers that are based on personal information.
(Security Affairs – Apple Pay, cybercrime)