Cybercriminals Could Use iOS Vulnerability To Hack Apple Pay

Apple Pay could be hijacked by criminals using fake login page, Wandera warns

Apple’s new mobile payment service has suffered another hit with the uncovering of a possible security threat that could open users up to having their payment details stolen.

Researchers from mobile threat prevention firm Wandera have found that kits costing less than $100 could allow criminals to steal card details by luring them into malicious Wi-Fi networks.

Upon joining the Wi-Fi network, users are confronted by a fake portal page set up by the hackers that mirrors the enrolment to Apple Pay, and is then used to harvest card details for nefarious purposes.

Under threat?

Apple Pay“As Apple Pay is a relatively new technology, users – whether they are consumers shopping at department stores or enterprise employees paying at restaurants – aren’t yet completely familiar with the experience. This makes it more difficult for them to spot the difference between a fake card entry page and the genuine one,” says Eldar Tuvey, CEO of Wandera.

“Hackers can take advantage of users’ trust in their phones – making this a social engineering threat rather than an information security one. In this type of attack, only users’ ability to spot tiny differences can protect them.”

The company, which has reported its findings to Apple, is recommending that apps that accept credit card details, such as popular taxi services or digital wallets, should now investigate methods to positively identify themselves to users when requesting sensitive information, much like how some online credit card services already do in the form of personalised security phrases or images.

Wandera is also advising users looking to add credit card details to an app to always go via the app from scratch and to use the camera to capture card details where that capability is available.

“The payments industry needs to look very closely at these social engineering threats and wherever possible, provide consumers with simple guidance to enable them to distinguish between fake and genuine requests for their sensitive information,” Tuvey added.

The news is another blow for Apple Pay following a survey released today showing that only a small proportion of leading retailers are planning to support the system.

Speaking to a hundred top merchants in the US, the only market where Apple Pay is currently available, a Reuters survey found that around two-thirds would not be providing the system any time in 2015.

Of the companies who responded, less than a quarter said they currently accepted Apple Pay, and only four more said they planned to offer it in 2016.

All clued up on mobile payments? Try our quiz!