Cybercriminals have found a new method to commit credit card fraud via contactless payment methods such as Apple Pay, Google Pay and Samsung Pay. Victims are hacked with malware in the process.
Criminals discuss in chat groups on Telegram how Apple Pay is now “the easiest way” to commit credit card fraud. So writes journalist Joseph Cox of Vice Motherboard, who has access to the chat groups.
Apple Pay and similar services are likely to be preferred because they allow contactless payment without a PIN. Once users have linked their payment cards, authentication via the phone’s PIN is enough – or via finger or face scan. And that method is also secure, until criminals manage to link someone else’s credit card to their own iPhone, as is the case here.
Fooling the controlsystem
The trick the criminals use is to fool the control system between the bank and the iPhone. This happens when the card owner receives a text message with a one-time code from the bank. That code must be entered to activate Apple Pay. But the owner of the card never receives the code: the malware captures the code and passes it on to the criminal. This usually happens unnoticed.
The malware used to capture such codes is traded for a lot of money via the aforementioned Telegram groups. It is a so-called bot: software that can perform a number of tasks independently and automatically.
Once hacked, the criminals mainly buy gift cards from the money. These can then be resold.
Fraud control does not see abuse
An additional disadvantage for victims is that the standard fraud detection of credit cards does not work when paying contactless via Apple Pay, Google Pay or Samsung Pay. If a credit card is used directly for a remarkably large purchase abroad, it is automatically blocked.
When making a payment from a smartphone, the bank or credit card issuer receives less information. This is generally positive for customer privacy, but does make fraud detection more difficult. Apple would not comment on Vice’s story. Google points to the “industry-standard verification processes” it uses, and Samsung also points to such checks being administered by banks and credit card companies.