Criminals use Apple Pay to make fake virtual ‘credit cards’

“The blog of Drop Labs, a mobile commerce advisory firm, has a good (if technical) post on how Apple Pay security does — and doesn’t — work,” Chris Mills reports for Gizmodo UK. “In essence, the hardcore tech stuff for Apple Pay works just fine: no one is breaking Touch ID, stealing iPhones to pay for stuff, or hacking the NFC transmission protocol. Rather, the flaw lies in credit cards themselves.”

“According to Drop Labs, people are buying credit-card numbers online, then loading those same numbers into Apple Pay, in essence making themselves a handy fake credit card, without going to the trouble of making a physical fake,” Mills reports. “And it’s not a small problem: Drop Labs claims that for some issuers, fraud levels are as high as 6% (meaning $6 of every $100 is being spent fraudulently in the US). That’s bad even when compared to regular credit cards, whose fraud rate averages out at under 1%.”

Mills reports, “What this data really tells us is that while credit cards and their stupid unencrypted magnetic strips continue to exist, no system — not even one that uses fingerprints and special super-secure chips — can prevent nefarious hackers running up Supermarket Sweep-style consumer binges with your credit card.

Read more in the full article here.

MacDailyNews Take: Physical credit cards with unencrypted magnetic strips must die.

31 Comments

  1. Until the system is ubiquitous and accepted everywhere, the need to carry around your cards still exists. Which means they can still be lost or stolen as before.

    Someday, hopefully sooner than later, you’ll get a card issued to your that you can enter into your phone and then you can lock up the original card (assuming these things still exist) and then you can leave the worst parts of the system behind.

    We need the future to be now — now more ever.

    1. I have two main credit cards. One is a card that I use with Apple Pay and have also set up for my crucial automatic payments. I don’t carry this card with me. The other is a card that I use for swiping in retail stores and restaurants that don’t accept Apple Pay. If I lose the second card or it gets compromised, I can replace it without issue.

  2. I don’t understand this hack. I thought any card added to Apple Pay had to go through loop for a bank check in order to allow for tokenization. Please get more info.

    1. According to the story some banks are not authorizing cards using the proper mechanism. Come on banks – Apple gives you a way to securely pay – then you screw it up.

      1. According to the story, some banks will require a simple phone call in order to authorise the card number into ApplePay.

        If some banks are this foolish about the integrity of their system, Apple may be able to make a simple change to the ApplePay system to require some more reliable authentication system before adding a card to ApplePay.

            1. You’re assuming the criminal is adding the credit card number to your AppleID. I seriously doubt they have both your credit card number and your AppleID. More likely they’re adding a valid credit card number to a newly-created AppleID.

            2. The problem is NOT the scammers using YOUR (or anyone else’s) credit card number.

              The problem is that they have figured out the codes for numbers that *can* be used for a credit card company’s (and bank’s) card. Even the groups that haven’t actually figured out the codes can go online to illicit sites and buy the authorized numbers.

              They then call that bank with a viable number (that likely has not been issued to anyone at all) and authorization number that would be on the back (or in the case of AmEx, on the front) of the card and a fake name.

              The person at the bank looks up in a data base the viable numbers and codes, verifies that they are “good” and authorizes the card to be used with Apple pay. I’ve heard reports that many banks don’t check anything further — just the card number and code and that’s it.

              No physical credit cards need be stolen. No credit card magnetic strips need be recorded. No credit card even needs to have been issued.

              No matter what Apple does, it cannot control what the bank or the credit card company does on the back end. Apple Pay could be infinitely secure (it isn’t and no system ever will be), and this type of “hack” would still proliferate until the banks and credit card companies get their acts together.

              One of the things I did was set up with one of my credit cards (the one with the highest limit and use most often) that the company texts me every time the card is used. True, it’s a bit of overkill for a $5 purchase at the grocery store, but at least I get a notification that the card was used. The text usually happens within about 3 – 5 minutes of the time I make the purchase — even if I use Apple Pay. If I get a text that a purchase was made and I know I didn’t make that purchase, I can immediately contact the card issuer and ask about the details.

              There are many ways to add financial security to your life depending on the level of hassle you want to implement.

              The banks and credit cards just need to get their acts together and fix this huge hole in their authorization systems.

      1. but… but… APPLE!!!!!!

        Bank robber gets caught with an iPhone in his pocket, Apple is now in the business of robbing banks. Right?

        I love how any problem out there is Apple’s fault, all you have to do is insert Apple into the headline… and Boom! Apple’s at fault!

        1. True, not Apple’s fault.. Just that the system they created has this loophole on the bank’s end. Thanks to the combination of this weakness and the much reduced physical resources needed to make fake credit card on Apple Pay (vs actually making the physical fake cards) this exploit is increasing the fraud level significantly. Since Apple has come this far in making ApplePay work with the banks and credit cards companies, it would be in their best interest to not let the work go to waste and simply work further with the participants involved in the system to improve the security at the authorization end. I think the first 4-6 digits of any CC number identifies the issuing bank so it shouldn’t be too difficult to narrow the bank down and help make them more secure.

    2. @ WhoKnows

      You are correct. The issue is with banks that aren’t performing proper authentication when setting up cards with Apple Pay. My bank required me to respond to a text message sent to my phone number that they had on record. That minimum level of authentication would prevent the hack detailed in this article.

      1. I have my Visa with Citibank. I had to enter the card number, expiration date, the 3-digit number on the back of the card, and then wait for a phone call to the number they had on file (my landline). The phone call gave me a six-digit number I had to enter, and then Apple Pay was ready to go.

        My wife’s Visa is with USBank. She just had to enter the information on the card and she was authorized.

        Clearly not all banks have the same level of concern about fraud.

        ——RM

  3. HOW CREDIT CARD NUMBERS ARE BEING STOLEN, The POS (point of sale) terminal version:

    1) Take ANY kind of credit card, be it magnetic stripe or RFC/Chip-and-PIN, and have it run through a POS device running Windows XP Embedded.

    2) The credit card data is stored in-the-clear in RAM on the POS device.

    3) Malware, which has been installed over the store’s network onto the POS device, grabs that credit card data out of RAM and sends it to a central data hub (infected server) within the store’s LAN (local area network).

    4) Periodically the crackers/hackers, who installed the malware, will log into the store’s LAN and retrieve the latest cache of credit card accounts. These are then served up on the Internet at nefarious websites for sale to the highest bidder.

    It’s after all of the above that these stolen credit accounts are punched into iOS devices and connected to Apple Pay.

    Does Apple have any responsibility in this situation: NO, NOT AT ALL. There is nothing Apple can do to stop this situation. It is up to the credit account intermediaries and vendors to keep up to date with the stolen credit card lists and block stolen accounts, not Apple.

    So NO, this is not a problem with Apple Pay at all. It’s before and after Apple Pay, within the credit system, that is the problem.

    Reminder: Over 110 million customer accounts were stolen from lazy, irresponsible Target Corporation via the method explained above.

    Thankfully: Windows XP Embedded POS devices are incapable of reading Apple Pay or more modern RFC/Chip-And-PIN cards. The exposed data in-the-clear in RAM is no longer (theoretically) a problem. They’re gradually being relegated to the garbage heap, where they should have been tossed many years ago.

  4. So the story is saying that John Smith can take his iPhone 6 and load a stolen credit card from Jane Doe and Apple Pay doesn’t care?
    Is that right?

    This is not a statement, I’m asking a question because I don’t know the answer.

    1. No, not quite. ApplePay will ONLY accept a credit card IF the bank that authorised that card actually approves that the card be added to ApplePay.

      Unfortunately, many banks simply approve this without actually checking if the card number is actually legitimate, if the account is not suspended due to stolen card, or if the person adding the card to ApplePay is the actual user. The fault is entirely bank’s, and Apple really cannot possibly do anything to fix this.

      1. Perhaps part of the problem here is that fraudsters have found the formula for matching up the right card number to the CVV number for a particular bank and the bank assumes that the card is active in the actual owner’s hands. A possible fix for this on ApplePay’s end is to make sure the phone/device that ApplePay is authorized on matches reasonably well (may be missing middle initial) to the name registered with AppleID.

  5. Seems to me like this system could be used for any kind of remote credit-card use e.g. when paying for something online at Amazon. If someone can hoodwink Apple Pay by registering false card authorizations, they could do it anywhere that actual physical inspection of the cards is not required.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.