Apple Pay Under Attack

Share with your network!

March 04, 2015 Andrew Conway

Cloudmark's 2015 security predictions included, "As mobile payment systems become more mainstream, they will come under attack from cyber criminals". It came as no surprise to us to see a report that Apple Pay is now a vector for credit card fraud. The scammers are not compromising existing Apple Pay accounts - so far nobody has cracked fingerprint validation. However, they are using a new iPhone and stolen credit card information to sign up for new accounts. Ironically, Apple is also one of the victims of this attack. The fake accounts are frequently used in Apple stores, as they accept Apple Pay and sell high value goods that are easy to resell. When a credit card is added to a new Apple Pay account, Apple passes that request to the issuing bank, along with some metadata such as the device location and age of the associated iTunes account. It is then up to the bank to validate the request by whatever means they deem appropriate. Apparently, some are not being very rigorous about this, and even for sign ups that are flagged as suspect they are only requiring confirmation of the last four digits of the owners SSN - information readily and cheaply available from underground cybercrime services. Apple may deny responsibility for this attack and put the blame on the banks, but they cannot avoid all responsibility. They should not have delegated the security of signing up for their payments system to third parties who may not have the same security objectives. There is a big difference in the security required for an account that is used purchase $0.99 songs on iTunes and an account used to make four figures purchases or protect intimate photos intended only for the eyes of a friend or lover. The more services available using a particular set of credentials, the more attractive those credentials are for compromise or forgery. The security around Apple accounts has not kept pace with the growth of services that Apple provides. To protect against being a victim of this attack, take the usual precautions to against credit card fraud:

Use a credit card rather than a debit card when shopping, so that if your card is compromised you don't also have to deal with an empty bank account.
If available as an option turn on dual factor authentication on all financial accounts.
Check your credit card bill carefully for unexpected payments.
Don't give your credit card number or social security number (even the last four digits) to anyone unless you are sure you are dealing with a reputable company.

Mobile Messaging Security

Email Messaging Security

Threat Insight

The most complete, comprehensive and accurate Mobile Messaging defense solution

Mobile Operators

Secure Your Mobile Messaging Environment

Protect Your Traffic with a Cloud Service

Monetize Traffic by Identifying and Preventing Grey Route Abuse

Secure Your RCS and Future Mobile Messaging Traffic

Secure Your Email to Mobile Messaging

Internet Service Providers (ISPs)

Secure Your Email Environment On-Premises

Secure Your Email Environment Cloud Version

Provide Real-time (best-in-class) Threat Insight through Scanning and Analysis

Provide a Better Email Experience to Your Customers

Security Services

Security Operation Centers (SOC) Services

About

Products

Resources

Connect

Support