Criminals use it easier than ever Apple Pay to go shopping with stolen credit cards

Criminals use it easier than ever Apple Pay to go shopping with stolen credit cards

One fraudster even described Apple Pay as “the easiest way to make money” now that hackers have developed and distributed a tool designed to steal victims’ multi-factor authentication tokens.

Due to the simplicity of duping unwary customers into turning over their confirmation codes, criminals have realised that Apple Pay is one of the easiest ways to use stolen credit card information. Criminals are exploiting Apple Pay’s convenience and relative anonymity to “go on spending sprees with stolen credit and debit card details,” according to a recent investigation from Vice.


  • In many cases, this involves receiving a text message, phone call, or email with a confirmation code. The customer then enters that confirmation code directly into the Wallet app, and the card is activated for use. However, as Vice reports, criminals have taken to using bots specifically designed to steal these codes, making it nearly effortless for them to get cards activated on Apple Pay.

  • When you add a new credit or debit card to Apple Pay, the iPhone Wallet app walks you through a verification process to confirm that the card belongs to you. The banks manage this process entirely, so it can differ significantly depending on what company issued your card. These Incredible Apps Help You Save Money, Earn Cash, Cancel Unwanted Subscriptions, and Much More
    The App Store has become completely oversaturated with all the same repetitive junk. Cut out the clutter: These are the only 6 iPhone apps you’ll ever need…Find Out More

In audio of one bot call obtained by Motherboard, the bot pretended to be an automated system from PayPal that was helping to secure the victim’s account. In the call, the computerized voice said that “In order to secure your account, please enter the code we have sent your mobile device now.” Vice

Instead of calling a potential victim directly and trying to “social engineer” their code from them, these bots use text-to-speech scripts with a proven track record. For example, the bot might call up the victim with what appears to be an automated system from their bank, telling them that a problem has been detected with their account. The person is then asked to enter the code that the bank has sent to their mobile device via text message.

A bot like this would be used when the criminal adds a stolen card to Apple Pay that triggers a text message from the victim’s bank. The unsuspecting person receiving the call may assume that the text message was generated for another reason and supply the code without realizing that they’re giving away their credit card information.

This trick won’t work for all credit and debit cards since some banks use other verification methods that are considerably more secure. However, Vice found photos uploaded to Telegram by the bot administrators that showed that Wells Fargo and Chase cards could be successfully added to Apple Pay using these methods. What makes this so appealing to crooks is that Apple Pay requires almost no additional verification at the point of sale. Physical credit and debit cards are much higher risk as they often require that the user enter a PIN into the terminal or hand the physical card over to a cashier who could check the name and become suspicious if it doesn’t match the person holding the card. They could then, in turn, ask to see identification.

None of this happens when using Apple Pay since, presumably, the iPhone’s Touch ID or Face ID authentication is sufficient to verify the transaction. The cashier doesn’t see a name, and in most cases, a signature or PIN is not required. Unfortunately, as this report reveals, the weak link is the process by which a card is added to Apple Pay in the first place. A criminal who has obtained stolen credit card information must still go through the same process that a legitimate cardholder does to add that card to Apple Pay. Nobody has found a way to hack or bypass that process. This is entirely what’s known as a “social engineering” attack. It relies entirely on deceiving potential victims into giving up their verification codes too easily. What makes it lucrative for the scammers — and dangerous for everyone else — is that these new automated bots allow hundreds of potential victims to be contacted more quickly and effortlessly than ever before. Fortunately, there are a few simple steps you can take to protect yourself from such scams.

Don’t give This kind of criminal activity also explains why Apple is ramping up its fraud protections in Apple Pay. Tracking details such as the location of transactions can ensure that even if a scammer does manage to get one of your payment cards added to their iPhone, it will quickly get flagged as fraudulent since it’s unlikely the thief will be using it anywhere near your current location.