720-891-1663

Breach, Hacks

Apple Pay Hacked (well, sort of)

As I suspected when Apple Pay was released, the hackers did not just give up and say “this is too hard” and all get jobs at Burger King.

No, instead they said, what vulnerabilities does Apple Pay have?

The first one (at least that we know of) is something called yellow path.  The hackers have figured out that they can set up an iPhone with stolen personal information and then call the bank to authorize the card.  Apparently, Apple has a red, yellow, green process for doing this where red is rejected and green is approved, but yellow requires additional verification to add the card to the phone.

At least some banks are being lax about this and just asking for the last 4 of the social and if the hacker has that, the bank sets up the card on the phone.  Since the hacker controls the phone, they pass the fingerprint check and run bogus charges on the card.

The karmic part of this is the crooks are often buying Apple products at Apple stores with the bogus iPhone/Apple Pay setup.

Apparently this is a REALLY BIG problem.  Card issuers had expected about 2 or 3 cents of fraud per hundred dollars of charges.  Instead they are seeing about 6 dollars of fraud per hundred dollars of charges.  That is a good way to go broke.

The fraudsters are way better at conning the bank’s call centers than the banks are at detecting the fraud.

And, has been the case since the beginning of time, since the banks are much more worried about not offending customers than having good security (hence the $12 billion a year in credit card fraud), we have a problem.  For example, how often does a clerk in a store really examine the signature panel on your credit card.  I have some cards that are not signed and I have seen many clerks look at the signature panel, see that it wasn’t signed, and hand me back the card rather than ask me for ID – they don’t want to offend anyone.

In any case, given the fraud rate is about 200 to 300 times what they planned for, they are going to be forced either to do something about it or discontinue accepting Apple Pay.  Talk about a rock and a hard place for banks.

See this article for more information.

Mitch

Facebooktwitterredditlinkedinmailby feather

Copyright © 2024 CyberCecurity, All rights reserved. Privacy Policy