New fraud method abuses Apple Pay and Google Pay

Cybercriminals have found a new method to commit credit card fraud via contactless payment methods such as Apple Pay, Google Pay and Samsung Pay. Victims are hacked with malware in the process.

Criminals discuss in chat groups on Telegram how Apple Pay is now “the easiest way” to commit credit card fraud. So writes journalist Joseph Cox of Vice Motherboard, who has access to the chat groups.

Apple Pay and similar services are likely to be preferred because they allow contactless payment without a PIN. Once users have linked their payment cards, authentication via the phone’s PIN is enough – or via finger or face scan. And that method is also secure, until criminals manage to link someone else’s credit card to their own iPhone, as is the case here.

Fooling the controlsystem

The trick the criminals use is to fool the control system between the bank and the iPhone. This happens when the card owner receives a text message with a one-time code from the bank. That code must be entered to activate Apple Pay. But the owner of the card never receives the code: the malware captures the code and passes it on to the criminal. This usually happens unnoticed.

The malware used to capture such codes is traded for a lot of money via the aforementioned Telegram groups. It is a so-called bot: software that can perform a number of tasks independently and automatically.

Once hacked, the criminals mainly buy gift cards from the money. These can then be resold.

Fraud control does not see abuse

An additional disadvantage for victims is that the standard fraud detection of credit cards does not work when paying contactless via Apple Pay, Google Pay or Samsung Pay. If a credit card is used directly for a remarkably large purchase abroad, it is automatically blocked.

When making a payment from a smartphone, the bank or credit card issuer receives less information. This is generally positive for customer privacy, but does make fraud detection more difficult. Apple would not comment on Vice’s story. Google points to the “industry-standard verification processes” it uses, and Samsung also points to such checks being administered by banks and credit card companies.


We zijn even gesloten.


Beste Klant,

Onze winkel is gesloten van 15/07 t.e.m. 22/07. We zijn terug open vanaf Dinsdag 23/07.

Voor dringende zaken blijven we wel bereikbaar via mail op:

– Het ALLCORE-IT Team –

Inschrijven voor onze nieuwsbrief

* indicates required

Selecteer op welke manier we u mogen contacteren:

U kunt op ieder moment zich uitschrijven op onze emails door op de link te klikken in de voet van onze emails. Voor meer informatie omtrent privacy, bezoek onze website.

Wij gebruiken Mailchimp als ons marketing platform. Door onderaan op inschrijven te klikken stem je toe dat uw emailadres zal worden doorgegeven aan mailchimp om te verwerken. Lees hier meer over Mailchimp's verwerking van privacy data.