PAY-2 · Mobile Threat Catalogue

Mobile Threat Catalogue

Credit or debit card enrolled into mobile payment without cardholder authorization

Contribute

Threat Category: NFC-based

ID: PAY-2

Threat Description:

Threat Origin

The Weak Link in Apple Pay’s Strong Chain is Bank Verification. Who’s to Blame? 1

Exploit Examples

Not Applicable

CVE Examples

Not Applicable

Possible Countermeasures

Mobile Device User

To reduce the time to detection for unauthorized enrollment in mobile payment services, use credit monitoring services to monitor credit card accounts for unauthorized changes.

To prevent an attacker from bypassing holder-to-bank authentication to achieve card enrollment, configure payment services to use multi-factor authentication to enroll the user’s card into a mobile payment service.

As one method of enrollment into Apple Pay requires the attacker to provide the CVV, use strong physical security mechanisms to prevent unauthorized disclosure of the CVV. See iOS Security: iOS 9.3 and Later 2

Follow general guidelines to protect credit card info: When conducting online transactions or accessing banking sites online, never access the URL from a link in an email or SMS/MMS; always type the URL directly into the location bar.

Verify the browser indicates the session is secured with HTTPS before authenticating to a banking site or making online payments to vendors.

To prevent attackers from obtaining authentication credentials or account details for payment systems, never access banking sites from public or untrusted systems, as these may have been infected with malware designed to steal authentication credentials or credit card information.

References

  1. M. Geuss, “The weak link in Apple Pay’s strong chain is bank verification. Who’s to blame?”, Ars Technica, 3 Mar. 2015; http://arstechnica.com/apple/2015/03/the-weak-link-in-apple-pays-strong-chain-is-bank-verification-whos-to-blame/ [accessed 8/24/2016] 

  2. iOS Security: iOS 9.3 or later, white paper, Apple, 2016. www.apple.com/business/docs/iOS_Security_Guide.pdf [accessed 8/24/16].