NEW YORK (MainStreet) — When was the last time your landline phone rang? Quick now. That is because the wrong answer just may cost you big bucks.
Criminals, report multiple security experts, now are targeting little used, perhaps even forgotten, phone numbers for use in hijacking Apple Pay in your name. It works like this. The criminal needs a credit card issued in your name and - to foil bank security - and he also wants your phone number. That is because many financial institutions are using a phone call as an added security measure to validate that in fact it is you who wants to enroll a new Apple Pay card.
It also is shockingly easy for criminals to seize control of a phone number, in a heist called porting. All that usually is required is a call to a phone company. “I want to transfer my number.” Federal law guarantees number portability in many cases and, shazaam, your number now is a crook’s. “Illegally porting telephone numbers has been around for some time. Criminals are reusing the old technique to subvert Apple Pay’s device authentication mechanism,” said J. Wolfgang Goerlich, cyber security strategist with IT risk management company CBI.
So then the Apple Pay verification call comes into the ported phone number and, naturally, the criminal verifies that yes, indeed, he wants Apple Pay on that credit card.
That is game, set, match where your financial identity now has been stolen. “It’s a compounding of failure to authenticate users, by Apple, the bank, and the phone company,” said Patrick Nielsen, senior security researcher at Kaspersky Lab.
Understand: that is a complex, multi-step fraud involving more moving parts than is typical for cyber criminals. What it shows, said lawyer Steven Weisman, who blogs at Scamicide, is that criminals are focused on Apple Pay and they are hunting for “weak links.”
Similarly, a few months ago, there were many reports of criminals exploiting sloppy bank credit card enrollment procedures for Apple Pay. Apparently, many banks toughened the procedures by adding in a phone call - thus the criminal interest in phone numbers.
Note, however, that a well-placed source who insisted on anonymity reported that this phone porting gambit has not occurred with enough frequency to warrant significant concern within Apple or the nation’s biggest banks.
Nonetheless, Kaspersky’s Nielsen said he expected to keep seeing rising criminal interest in Apple Pay, mainly because it lets the crook do something that otherwise is difficult to do. Acquiring stolen credit card numbers is easy - literally hundreds of millions are for sale on online criminal bazaars. What is hard for many crooks is turning that number into a plastic credit card that is good enough to pass muster at retail.
Apple Pay lets the crook bypass the plastic card entirely. Apple Pay itself of course is accepted at retail, just by presenting an iPhone 6.
What can you do to protect yourself? For starters, test your phone numbers.
Beyond that, said Armando Orozco, senior malware intelligence analyst at Malwarebytes Labs, “be vigilant” about monitoring transactions.
“Consumers need to remember that they are their own best line of defense," said Matt Schulz, senior industry analyst, CreditCards.com. "It's imperative that they take the time, as often as possible, to keep an eye on their credit card accounts, checking accounts and credit reports. That is still the best way to protect yourself.”
Safeguards in federal law mean that, almost certainly, victims of this new Apple Pay fraud will personally incur no financial losses - but cleaning up such messes is never effortless. And the quicker a fraud is spotted, the more certain a victim won’t have to pay this crooked piper.
—Written by Robert McGarvey for MainStreet