Fraud cases across three prefectures involving Apple Pay exploit loophole: Sources

Fraud cases across three prefectures involving Apple Pay exploit loophole: Sources — The Mainichi — “Multiple fraud cases involving stolen credit card information via Apple’s iPhone payment system ‘Apple Pay’ occurred across Osaka, Kyoto and Saitama prefectures in late March this year, investigative sources have revealed… Apple Japan said it had confirmed the Saitama cases, and a source disclosed that after the incidents occurred, Apple reportedly gathered credit card issuing companies together and warned them to exercise caution.”

  • Willam Hugh Murray, CISSP

    As best I can tell the issuer is sending a one time password to the phone of record of their customer. They are being duped into changing that number from that of their customer to that of the perpetrators. We have also seen cases in which telcos have been duped into changing the association between a phone number and a SIM or device.

    To the extent that we rely upon text to phone for a control, we better be very careful about enrolling and changing those phone numbers. Consumers can help by ensuring that the numbers in their profiles are correct and that they are receiving the traffic intended for them.

    Note that postal mail and e-mail may be vulnerable to the same kind of attack.