Criminals are abusing Apple Pay and other contactless payment systems to go on spending sprees with stolen credit and debit card numbers, according to a Motherboard review of various Telegram channels used by fraudsters. One fraudster said that Apple Pay is the “easiest way” to make money with a recently developed hacking tool available in the digital underground that focuses on stealing victims’ multi-factor authentication tokens.
Recently criminals have started using bots that automatically place phone calls to victims and trick people into handing over their multi-factor authentication codes. Now, various fraudsters selling access to these underground bots are highlighting a particular money making scheme: using the bots to link stolen credit cards to contactless payment systems like Apple, Samsung, and Google Pay and then buying items at the victim’s expense.
“$20k worth of Giffys,” an administrator for one of the bots, called Yahooze OTP, posted in their Telegram channel. “Giffys” refers to gift cards. An accompanying photo shows two large boxes seemingly containing the cards. The post adds that the user bought these cards by adding a bank card to Apple pay and “tapped,” meaning they used the contactless payment system to buy items.
This is the “Easiest way to make profit using bot,” the post adds.
Do you know anything else about Apple Pay fraud or the use of multi-factor authentication bots? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
In another flexing post, the administrator shared a screenshot of what they said was a customer buying another large cache of gift cards worth at least hundreds of dollars after they used the bot to link a bank card to a contactless payment system.
“Spend as you please,” the post adds. While some gift cards may be limited to buying items from a specific retailer, the photo also includes a photo of Visa prepaid cards the fraudster has seemingly bought, which can generally be used more widely.
Administrators of other bots have pointed to contactless payment systems as a way of generating profit from their bots. Another said their bot can be used for “Apple/Google Play CC [credit card] linking.” A third wrote that their bot can capture codes for “Apple Pay, Google Pay & Samsung Pay.”
The Telegram posts don't explain explicitly why fraudsters may see Apple Pay as a preferred option when using multi-factor authentication bypass bots. But when a scammer adds a debit card to Apple Pay, perhaps using stolen card details they've purchased online, the scammer does not require the card's PIN or the physical card itself to start spending the victim's money. The contactless payment system, in a way, bypasses the need for the PIN or the physical card by creating another avenue to use the stolen card details. When using Apple Pay, a cashier does not see the name that would be present on the physical card and doesn’t ask for identification from the buyer.
A screenshot of a review shared in a fraudster Telegram channel. Image: Motherboard.
“There are zero anti-fraud checks for these payments either,” Timur Yunusov, a senior security researcher at cybersecurity firm Positive Technologies told Motherboard in an email, though Wells Fargo, for instance, said that all the checks that exist for physical card payments also apply to contactless payments. Yunusov presented research at the Black Hat cybersecurity conference last year on his dive into how contactless payless systems worked and how they could be used for fraud.
“If I suddenly enroll the U.S. card to Apple Pay somewhere in Thailand and go to the store and buy something for $10k, no one will even try to stop me. I will likely be caught with some anti-fraud rules if I try doing the same with the regular card,” he added. (Last April the U.S. Treasury Department sanctioned Positive Technologies, describing it as “a Russian IT security firm that supports Russian Government clients, including the FSB.” Positive Technologies later said the sanctions did not have any significant impact on its business).
“Apple created an ideal payment scheme where they stay away from the payment data. They don't and can't check anything, only sending everything only to Visa/MC [Mastercard] tokenisation services. A lot of information just does not arrive at the issuing bank. And the issuing bank is in charge of all anti-fraud checks here,” Yunosov added.
Motherboard reported on the booming underground market for bots that steal your multi-factor authentication codes in November. The bots can cost hundreds for a subscription to their service or thousands of dollars for lifetime access. Generally they work by using text-to-speech and other services to place a call to a target. In audio of one bot call obtained by Motherboard, the bot pretended to be an automated system from PayPal that was helping to secure the victim’s account. In the call, the computerized voice said that “In order to secure your account, please enter the code we have sent your mobile device now.”
One of the photos shared in a fraudster Telegram channel. Image: Motherboard.
In a real hack, the fraudster would make PayPal send the target their real multi-factor authentication code, perhaps by trying to log into the account. If the victim was convinced by the bot, they would then type that code into their phone during the call, and the bot would automatically send it back to the hacker in a Telegram or Discord message. Armed with that information, the fraudster could then log into the victim’s account.
The bots appear to work largely the same way across the different targeted services, such as cryptocurrency accounts, banks, or in these recently highlighted cases, contactless payment systems, with likely just a slight change in script for the automated voice.
When a user adds their bank card to Apple Pay, the user’s bank may perform an additional verification check. This might be in the form of a text message, phone call, email, or by downloading another app, according to Apple’s website. This is where the bots step in: they are designed to siphon that verification code.
In photos uploaded to Telegram by the bot administrators, fraudsters appear to have added cards from Wells Fargo and Chase to Apple Pay.
“‘Chase Debit Card’ is ready for Apple Pay,” one notification included in a photo reads.
One of the photos shared in a fraudster Telegram channel. Image: Motherboard.
Apple did not provide a statement when Motherboard told the company that a fraudster had said Apple Pay was "easiest way to make profit using [a] bot." Apple pointed to a series of pages on its website on how it is the bank’s responsibility to perform further verification of cards as they are added to Apple Pay, and another that suggested Apple customers be on the lookout for phishing messages and phony support calls.
A Google spokesperson told Motherboard in an email that “Cards added to digital wallets such as Google Pay are verified directly by issuing banks using industry-standard processes.” A Samsung spokesperson wrote in an email that “Authentication processes are managed by the financial service provider or card issuer.”
A Chase spokesperson told Motherboard in an email that “Behind the scenes, we use a variety of techniques to monitor and prevent fraud. If customers notice a suspicious charge, they should contact us immediately by calling the number at the back of their card, disputing the charge from within our mobile app or website or by visiting their local branch.”
A Wells Fargo spokesperson told Motherboard in an email that once a customer adds a card to Apple Pay or similar systems, “all the active and passive fraud capabilities that evaluate physical card transactions also monitor the contactless transactions from a digital wallet.”
“We advise our customers that Wells Fargo will never call or text you for this 2FA code so it shouldn’t be shared with anyone else,” she added. She also said that Wells Fargo customers won’t be held responsible for unauthorized transactions “as long as they’re reported promptly.”