Tag Archives: p.f. chang’s

Pros and Cons of ApplePay Security

ApplePay, the mobile payments service introduced by Apple in October 2014, could ultimately set the security and privacy benchmarks for digital wallets much higher.

Even so, the hunt for security holes and privacy gaps in Apple’s new digital wallet has commenced. It won’t take long for both white hat researchers and well-funded criminal hackers to uncover weaknesses that neither Apple nor its banking industry partners thought of.

Here’s ThirdCertainty’s breakdown of the security and privacy issues stirred by Apple’s bold move into the digital wallet business.

ApplePay defined

Available on the iPhone 6 and Apple Watch, ApplePay stores account numbers on a dedicated chip. Apple refers to this chip as the “secure element” only available n the iPhone 6 and iPhone 6 plus. It is on this chip that your financial information is stored. It is only accessed when a random 16-digit number gets generated for a given transaction, and the number never makes it to the phone’s software, where hackers could reach it.

The devices then use near field communication (NFC) to send a simple token, instead of the full account number, to the merchant’s NFC-enabled point-of-sale register.

“This allows an ultra secure payment,” says Anthony Antolino, business development officer at Eyelock, a biometrics technology vendor. “The only remaining concern is keeping the smart phone under your control.”

Apple tightens down who can control each device by integrating itsTouch ID fingerprint scanner and its Passbook ticket-buying app into ApplePay. This new approach keeps personal information on the device – instead of moving account data into storage servers within easy reach of thieves. The hacks of big merchants in the U.S. and Europe, including Home Depot, Target, P.F. Chang’s and Neiman Marcus, show how adept data thieves have become at attacking stored data.

How ApplePay improves security

ApplePay validates a “data-centric security model,” argues Mark Bower, product management vice president at Voltage Security.

“The payments world needs to move on from vulnerable static credit card numbers and magnetic stripes to protected versions of data,” Bower says. “Tokenized payments reduce the risk of data breaches and credit card theft.”

Mathew Rowley, technical director at security consultancy NCC Group, observes that the U.S. payment card industry continues to require minimal security checks in authorizing credit and debit card purchases.

“Things like chip-and-PIN and two-factor credit cards have been implemented in other countries, but the U.S. seems to be behind the curve,” Rowley says. “Any additional logic built into the process of making payments will make it more secure.”

How ApplePay introduces new risks

Adding a mobile wallet function to the latest iPhone gives criminal hackers more incentive and opportunity to find fresh vulnerabilities, says Mike Park, managing consultant at Trustwave.

“Any new additions and functionality to a platform, even ones meant to enhance security, can expand the attack surface,” Park says. “With the introduction of this type of functionality into a platform, this makes every device a possible target.”

The more popular ApplePay becomes, the more likely cybercriminals will devote resources to cracking in. Research from legit sources already is available showing how to hack into NFC systems — for instance this 2012 report from Accuvant reseacher Charlie Miller.

It’s probable that elite criminal hackers “are looking to steal identities and mass harvest payment card information as they do in other platforms and verticals now,” Park says.

One simple crime would be to target Apple devices for physical theft. Another is to figure out how to remotely access and manipulate ApplePay accounts. “The weakest link is the consumer,” says Alisdair Faulkner, chief products officer at ThreatMetrix. “And ultimately a web page with a username and login, like iCloud, now has an unprecedented amount of information about you backed up into the cloud.”

Pushing payments to mobile devices makes Internet cloud services more complex – and complexity creates vulnerabilities.

“In the past, the only participants were the merchant, the merchant’s bank and your personal bank,” says Richard Moulds, vice president of product strategy at Thales e-Security. “Apple is stating that they will not know the details of individual transactions, which is very important; however, there is clearly the risk of attacks on the phone itself.”

How Stolen Credit-Card Data Is Used

Reports of high-profile data breaches have been hard to miss over the past year. Most recently, it was a breach involving 56 million customers’ personal and credit card information at Home Depot.

This is just the latest volley in a wave of sophisticated electronic thefts including Target, Neiman Marcus, Michael’s, P.F. Chang’s and Supervalu. Much like in the other attacks, the suspected culprit in the Home Depot data breach is a type of malware called a RAM scraper that effectively steals card data while it’s briefly unencrypted at the point of sale (POS) to authorize a transaction.  Reports of this type of attack have become increasingly common in the months since the Target breach.

Whether the cause is a RAM scraper or an “older” threat like a physical skimmer placed directly on a POS machine used to swipe a credit or debit card, a phishing attack storing customers’ card information insecurely, the result is the same: Credit card data for millions of people winds up in the hands of criminals eager to sell it for profit. How does that process unfold? And how can you – or people you know – get sucked into it?

The Basic Process: The journey from initial credit card data theft to fraudulent use of that data to steal goods from other retailers involves multiple layers of transactions. The actual thief taking the card numbers from the victim business’ POS or database doesn’t use it him or herself.

First, a hacker – or a team of them – steals the credit card data electronically. Most of these schemes begin in Russia or other parts of Eastern Europe, and much of what you might call the “carding trade” is centered there.

Next, brokers (also referred to as “re-sellers”) buy the stolen card numbers and related information in bulk and trade them in online carding forums. A hacker may also sell the card data directly to keep more of the profits, though that’s riskier and more time-consuming than using a broker. These exchanges are found on the dark net (aka the dark web). That’s a part of the Internet you won’t find through Google, where all manner of illegal and unsavory things can take place. Online prices vary depending on:

  • The type of card,
  • Credit limit (if known),
  • How much additional data is available (CVV codes from the backs of cards and associated Zip codes make stolen cards more valuable),
  • The card owner’s geographic location (a fake card used in the vicinity of the legitimate card holder is less likely to raise suspicion), and
  • How recently the cards began appearing in the carding forums (which relates to the likelihood of card cancellation).

Prices for the individual cards have come down significantly in the past few years because of the sheer amount of records available, though brokers can still do quite well from bulk sales of card data. Despite being on the dark web, many of the brokers conduct themselves like regular online businesses and will provide replacements or the equivalent of store credit if cards purchased from them don’t work.

The people who buy the card data from the brokers are called “carders.” Once the carders have the stolen card data, there are at least two distinct variations on the scam:

1) Physical, in-store purchases using fake credit cards.

2) Stolen card numbers used to charge pre-paid credit cards that are, in turn, used to purchase store-specific gift cards (which are less suspicious than general gift cards). Purchases are made online.

Variant 1 (“Mystery Shopper”): This variation starts with carders printing up the fake credit cards for use in stores. Once they have the stolen card data, the equipment needed to make the fake cards isn’t that expensive. The carder then usually works with one or more recruiters to find people to use the fake cards (though a carder may do the recruiting himself). The enticement to get people to use the fake cards will generally be in the form of email spam and ads in Craigslist or similar sites offering easy money to be a “mystery shopper” or “secret shopper” as part of a “marketing study” or some other semi-plausible justification.

Not surprisingly, the items purchased tend to have high resale value. After the physical purchases are made, the “mystery shopper” can either send items to the recruiter/carder (generally via a secure drop site like a vacant office) or directly to someone who has “purchased” an item via an auction site in response to a posting from the recruiter/carder. If sent straight to the carder, she then auctions the items directly on eBay, Craigslist or an underground forum on the dark web.

The people who actually make the purchases with the fake cards may have no clue what they’re involved in (though sometimes they’re active participants in the scheme or simply low-level criminals looking to use the cards for themselves). They are effectively the “drug mules” of the credit card scam, taking the most risk and getting paid the least.

You’ve probably seen one step retailers take to try and stop in-person card fraud. On a counterfeit credit card, the numbers on the magnetic strip and the front of the card generally don’t match — it’s too expensive to create individual fakes. Some retailers have their personnel type in the last four digits on the physical card into the register after the card is swiped. If the numbers don’t match, the card is rejected as a fake.

Variant 2 (“Re-shipping”): Rather than making physical cards, in this variation carders use the stolen card data to purchase pre-paid credit cards that are then used to buy store-specific gift cards (Amazon, Best Buy, etc.). As with the “mystery shopper” scheme, recruiters typically use ads and spam emails to entice people, though this time it’s people (especially in the U.S.) seeing “work from home” promises. Sometimes, the recruiters will employ a more personalized approach, even going so far as to start a fake “relationship” with the intended target. Then — wait, there’s more — the gift cards are used to purchase items online, and those items are shipped to the people responding to the ads, spam or “relationship” overtures. That’s where the “work from home” angle comes in.

The people initially receiving the packages directly from an online retailer are called “re-shippers.” People in the U.S. are used because U.S.-based addresses raise fewer red flags with the retailers. Like the “mystery shoppers,” the re-shippers are the drug mules here (and they are sometimes referred to as  “money mules” or “shipping mules”). And, as with the “mystery shopper” scheme, re-shippers can either send items to the recruiter/carder or directly to someone who has “purchased” the item through an auction site.

While this may sound a little convoluted, the shell game-like nature of using one card to buy another and then another makes it more difficult for stores to catch onto this scheme before the purchase has already been made and shipped out.  After that, it’s generally too late.