Fraudsters Exploit Weakness in Apple Pay

GUEST BLOGGER

Mark Scott, J.D., CFE
ACFE Research Specialist

Most of us carry around smartphones that are more intelligent than we are. And for many of us, our smartphones permeate almost all aspects of our lives. We use smartphones in place of watches, alarm clocks, maps, music players, and it seems that very soon, we will use them to replace cash and credit cards.

Unfortunately, because criminals are adept at identifying and exploiting the weak links in new technologies, the ever-expanding capabilities of smartphones have created new avenues for fraud.

Consider the recent news about the high rates of fraud in Apple Pay, Apple’s mobile electronic payment system that launched in October 2014. Apple Pay was meant to improve credit card security, but according to some reports, the new service makes it easier for criminals to commit credit card fraud.

But, it’s important to note that the Apple Pay “fraud problem” has nothing to do with security flaws in the Apple Pay mobile transaction protocol — the Apple Pay mobile-payment system itself hasn’t been hacked. Instead, fraudsters are using Apple Pay as a vehicle to make fraudulent purchases with stolen credit cards by exploiting weaknesses in the bank-side process used to approve new credit cards loaded into Apple Pay.

Before credit card data can be used for Apple Pay transactions, the bank that issued the card must verify that it’s valid and is being used by the appropriate person. Unfortunately, there are some credit card issuers with weak verification processes for the Apple Pay mobile-payment system; of course, the fraudsters focus their efforts on exploiting such weaknesses. 

What happens is a form of account takeover in which the fraudsters load already stolen credit card data into the Apple Pay platform, allowing them to create a fraudulent digital credit card that they can use to make fraudulent purchases in brick-and-mortar stores.

The fact that Apple Pay provides criminals a means through which they can use stolen card data to commit fraud in brick-and-mortar stores is a development that concerns online security expert Brian Krebs: “Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.”

This situation highlights the creativity and inventiveness of fraudsters. While Apple Pay was touted as a safer alternative to credit cards and perhaps the most secure method of payment available, enterprising criminals took little time to identify and exploit the security weakness in this emerging technology for financial gain. 

It also points to the risks in placing too much reliance on new and unproven technologies, and illustrates the old adage that security is only as strong as the weakest link. In a world where we’re more digitally connected than ever before, speed is essential, but moving impetuously can be unsafe.

Review: Spam Nation Provides Detailed, Practical Workings of Cyberfrauds

BOOKSTORE STAFF PICK

Spam Nation: The Inside Story of Organized Cyber Crime

The ACFE Bookstore offers hundreds of resources including books and manuals, self-study CPE courses, the CFE Exam Prep Course, merchandise and more. In this interview, Dick Carozza, CFE, editor-in-chief of Fraud Magazine, offers his suggestion on one must-have resource to help you in your fight against fraud.

What is your professional background and current role at the ACFE?
My background is in journalism. I’ve worked as an editor and writer for several newspapers and magazines. I’ve been editor-in-chief of the ACFE publication, Fraud Magazine, since we developed it into a four-color magazine in 1995.

Why would CFEs be interested in the new book, Spam Nation?
Brian Krebs, the author of KrebsOnSecurity.com, is a noted cybersecurity expert and a former Washington Post reporter. (He’ll be a keynoter at the upcoming 26th Annual ACFE Global Fraud Conference and will receive the ACFE’s Guardian Award.) He broke the story that credit and debit card accounts stolen in a massive data breach at Target had been flooding underground black markets. Krebs also discovered breaches at Home Depot, Neiman Marcus and others. Because of his deep contacts in the financial sector and the shadowy cybercrime world, he’s able to provide detailed, practical workings of some of the largest global cyberfrauds. Early detection equals prevention. (Read the cover article for the March/April 2015 issue of Fraud Magazine.)

How is the information in this product useful for CFEs in their professional roles?
CFE’s clients, employers, family members and friends look to them to help deter fraud in their lives and organizations. The detailed information Krebs provides — including the prevention tips — will help us keep our personally identifiable information intact and prevent organizational data breaches. And the book is a great read. Krebs writes about the machinations of cybercrime rings and his travels to Russia to interview some of the colorful, complex fraudsters who spew spam around the world that enables identity theft. Edge-of-your seat copy!

Order your copy of Spam Nation today on ACFE.com.