Apple Pay Compromised by Authentication Hacks

Well, that didn’t take very long, did it? Only a few short months after its release, the team behind Apple Pay is already working to clean up a series of hacks that have rendered their premier mobile payment service vulnerable to hackers skilled in the art of social engineering.

Interestingly though, the hacks haven’t come through Apple’s security, but rather as an exploit of the methods that card vendors use to verify their customers’ information when it’s entered into the mobile system.

According to a study launched by the e-commerce and mobile payment strategy firm DROP Labs, somewhere in the range of about six percent of all cards being linked to Apple Pay accounts are fraudulent, cooked up by hackers who are using ill-gotten identification information to open accounts in other people’s names before charging up the funds to the limit.

After the limit is reached, they either dump the account, the phone, or both, having made off with thousands of dollars before the bank can react appropriately to the information as it feeds in on their end.

For now it seems that the cracked cards are exclusive to local, mid-tier banking institutions who don’t have the resources to protect themselves or their customers the same way that the big guys on Wall Street might.

As many of them still rely on over-the-phone verification methods, it’s easy for hackers to use social engineering techniques to trick the agents into divulging sensitive details about their customers, even going as far as verifying a new card on a phone that never belonged to their client in the first place.

“Some channels are just more secure than others,” the executive said. “For the call center, it’s important to let staff know there are certain triggers that callers say that let you know they might be trying to load a card on Apple that is counterfeit. So, we’ve been concentrating on training.”

Apple has been working with smaller banks to help coach them on what to look for when a hacker is attempting to use the system maliciously, though it’s a slow process that could take years before the employees in every call center is up to speed on the signals for a scam.

The analysts at DROP Labs say that the hackers are taking advantage of a system that’s been in place for years, but with the rise in Apple Pay-ready devices, they have found a whole new way to utilize data that used to require card counterfeiting machines to make any actual money for the organization in question.

With Apple Pay, all it takes is a simple phishing attack combined with a call to the company themselves in order to get a card activated on a phone. From there it’s a matter of spending as much as they can before getting caught, which is oftentimes enough to justify the cost of ditching a brand new iPhone 6 before moving onto the next one in a chain.

The report even suggests that the hackers would buy their next phone with the fraudulent cards, waiting for the moment it got shut down to simply hop to the next device and start the scheme all over again.