Vice Media’s Motherboard reported that hackers use underground bots for stealing multifactor authentication codes. Apple Pay was the easiest to exploit, according to a fraudster.
An administrator for the Yahooze OTP bot claimed that a threat actor bought $20,000 worth of gift cards using a contactless payment system. Similarly, other threat actors used automatically linked cards to buy gift cards worth hundreds of dollars.
Chase and Wells Fargo cards were “visibly” linked to Apple Pay through a fraudulent process. Other scammers alleged that the bot could link stolen cards to Apple Pay, Google Play, and Samsung Pay services.
The scammer encouraged others to engage in spending sprees using automatically-linked stolen card details, claiming it was possible to “spend as you please.”
Fraudster exposes alleged Apple Pay verification weaknesses
Motherboard obtained chats from one of the criminals’ Telegram channels with a fraudster claiming that Apple Pay was the easiest way to make money using a bot.
However, the Vice team could not determine why scammers seemingly preferred Apple Pay when linking stolen card details.
The team suggested that a fraudster does not require a physical card or PIN when adding a debit card to Apple Pay. Additionally, cashiers do not see the cardholder’s name or request identification when accepting Apple Pay. The ability for Apple users to conveniently make payments, including on Apple Watch, could have a hidden security cost.
Positive Technologies senior researcher Timur Yunusov claims that anti-fraud checks for contactless payments do not exist.
Yunusov told Motherboard that Apple does not check payment data but forwards it to Master Card or Visa, with most information failing to reach the issuing bank. “If I suddenly enrol the U.S. card to Apple Pay somewhere in Thailand and go to the store and buy something for $10K, no one will even try to stop me,” he said. “I will likely be caught with some anti-fraud rules if I try doing the same with the regular card.”
Scammers use bots to collect multifactor authentication codes from potential victims
Fraudsters use bots that automatically place calls tricking the victims into handing over their multifactor authentication codes.
Additionally, the bots assist in linking stolen credit cards to various contactless payment systems. Motherboard says the threat actors were selling access to these bots for hundreds of dollars for limited subscription periods or thousands for lifetime access.
The bots use text-to-speech service to place a call on the victim’s phone, instructing them to enter the multifactor authentication code sent to their mobile device.
The process begins when the fraudster tries to log in to an online system such as PayPal, where the user has activated multifactor authentication. Similarly, Apple Pay might send verification codes to the owner when someone adds the card to its payment service.
The bots attempt to retrieve the user’s multi-factor authentication codes using various pretexts, such as trying to protect the victim’s account from fraud.
According to Motherboard, the bot captures the multifactor authentication code when the user types it and relays it back to the fraudster through Telegram or Discord messages.
Motherboard says the bots have a similar modus operandi with minor changes when targeting financial services such as banks, online payment services such as PayPal, cryptocurrency accounts, and contactless payments.
The Motherboard team did not disclose how successfully the scammers obtained multifactor authentication codes from users. Many financial institutions have consumer awareness programs advising customers to avoid sharing multifactor authentication codes with third parties.
When contacted, Apple asserted that the responsibility to perform further verification of cards added to Apple Pay rested on the banks. Google said that cards added to digital wallets are “verified directly by issuing banks using industry-standard processes,” while financial services providers or card issuers manage the authentication process, according to Samsung.
“Malicious actors have a tough time using the credit card numbers they steal through Web and mobile attacks; the usual way is to sell those numbers in bulk through DarkNet markets or use them to acquire gift cards that can be redeemed for goods,” said Chris Olson, CEO at The Media Trust.
He added that mobile bots exposed by Vice provide scammers with yet another method of using stolen financial information.
However, Olson added that ”it’s not the first-time mobile payment features have been abused – through PayLeak-3PC, hackers were also able to initiate attacks directly through Apple Wallet.”
In 2017, a scammer used Apple Pay with stolen credit card numbers to buy luxury goods worth over $600,000.