Last week, a supposed Apple Pay security flaw received a great deal of press coverage. According to Aite Group analyst Julie Conroy, Apple Pay has seen fraudulent transaction rates of 6-8%. Yet, most experts agree that the problem is not with the Apple technology itself. “Apple Pay is great,” says Gartner distinguished analyst Avivah Litan. “It’s the bank processes for identity-proofing that are weak.”
In short, fraudsters are buying stolen credit cards and identities on the black market, and using them to provision cards on Apple Pay. It is up to banks to authenticate their own customers, and many have chosen to offer an option to verify over the phone by calling into a call center.
Fraudsters have found that they can socially engineer call center representatives to verify their stolen cards, leading to complete account takeover attacks. The financial institution call centers are the weak link in Apple Pay security. By targeting the call center, criminals are bypassing Apple Pay’s otherwise impressive security.
Who Are These Fraudsters?
Pindrop Security researchers are currently studying these Apple Pay fraudsters. Researchers have conducted interviews with several financial institution customers. They are reporting that the fraudsters speak without foreign accents, a common tip off for phone fraud. Further analysis shows that phone numbers associated with the fraud scheme are in fact coming from within the United States, with transactions clustering in New York, Florida, and Texas.
These fraudulent callers have more data on their victims than just the stolen credit card number. They often have enough to pass Knowledge Based Authentication questions, though their data is sometimes stale or incorrect. Reporter Brian Krebs explains that the fraudster’s use of card verification codes (CVVs) indicates that their data is coming from hacked online stores, rather than information stolen in recent point-of-sale (POS) attacks like those from Target and Home Depot.
Sophisticated Phone Channel Attacks
What is particularly interesting about these attacks is how quickly the fraudsters took advantage of a very small security flaw. In the case of Apple Pay, only a small percentage of users were prompted to verify by calling the call center. According to Apple’s support pages, Apple Pay looked at information like device location and iTunes transaction history to flag each newly uploaded card as Green, Yellow or Red. The majority of cards were classified as “green path,” and provisioned immediately without referral to the card issuer. Those that were highly suspicious were classified as “red path” and likewise declined. Only a small percentage of cards were marked “yellow” and sent to the card issuer for an approval decision. Card issuers used a variety of methods to authenticate a “yellow path” card, including text message codes and secure banking app downloads. Only a portion of the “yellow path” cards was asked to verify by calling a call center.
Nonetheless, fraudsters quickly discovered this flaw and flocked to it. Apple Pay was introduced to the public in late October 2014. Less than two months later, reports began to emerge of skyrocketing fraud. Even as Apple Pay was being hailed as “the most secure payment platform on the planet,” fraudsters were turning their attention to its weakness: authentication over the phone channel.
The Apple Pay attacks reinforce what Pindrop engineers see everyday at our customer sites. Fraudsters know more about your security and authentication procedures than even your call center reps. If there is a weak point in your security, no matter how small, fraudsters will learn about it and exploit it. Fast.