Apple Pay seems targeted by fraudsters


Motherboard reports on growing fraud using Apple Pay and other contactless payment systems. This fraud is part of a growing trend that automates end-arounds for security protocols.

Criminals are abusing Apple Pay and other contactless payment systems to go on spending sprees with stolen credit and debit card numbers, according to a Motherboard review of various Telegram channels used by fraudsters. One fraudster said that Apple Pay is the "easiest way" to make money with a recently developed hacking tool available in the digital underground that focuses on stealing victims' multi-factor authentication tokens.

The scheme involves plugging in likely stolen credit card info into Apple Pay, then utilizing bots to trick people into approving the contactless setup. The bots will contact cardholders posing as your bank and trick people into entering a multi-factor authorization code. Once processed with the code, the attacker has full access to the card using Apple Pay.

It's speculated the scheme is particularly effective since Apple Pay doesn't require verification such as security PINs or billing zip codes at the time of purchase. Also, privacy features of Apple Pay to limit the sharing of transaction telemetry with banks, so they have less visibility for fraud triggers.

The bottom line is to be always vigilant about sending verification codes to anyone, especially codes that you did not immediately request. This also further demonstrates the weakness of SMS verification, where if someone already has your credit card info, they likely also can piece together a related phone number. Whenever possible, utilize app-based MFA and not mobile SMS.