Wandera recently announced that it has uncovered a way in which users of the service, Apple Pay risk being manipulated by hackers, as their credit card information is at risk of theft.

Using inexpensive (less than $100) and readily-available, portable equipment in a laboratory setting, Wandera’s security researchers have identified a social engineering method in which hackers can inject a fake captive portal page which pops up and imitates the Apple Pay enrolment process, prompting the user to enter their credit card details. These details, including the security code, can then be easily harvested and used for fraudulent purposes.
As Apple Pay is a relatively new technology, users – whether they are consumers shopping at department stores or enterprise employees paying at restaurants – aren’t yet completely familiar with the experience. This makes it more difficult for them to spot the difference between a fake card entry page and the genuine one. Hackers can take advantage of users’ trust in their phones – making this a social engineering threat rather than an information security one. In this type of attack, only users’ ability to spot tiny differences can protect them.

A genuine (left) and fake (right) Apple Pay credit card detail request page
Apple Pay is the most popular mobile payment system in the United States, accounting for $2 out of every $3 spent through contactless payments. As a result of this high usage, it is likely that Apple Pay is a prime target for hackers.
With over 700,000 locations that already take Apple Pay in the US, hackers are likely to be targeting shopping malls where there are high numbers of Apple Pay-compatible vendors and consumers using the payment service. In high footfall locations, even a very small ratio of success will yield a large number of valuable credit card numbers. It’s all so easy for them. Using readily-available technology, which they may be discreetly carrying about their person, hackers can for the first time focus their efforts where their victims are at their most susceptible – at the checkout.
Our lab tests suggest that all users of Apple Pay on devices with Wi-Fi services enabled are susceptible to this type of attack. But equally a wide variety of other apps and services that users expect to request credit card details can also be vulnerable. When we widened our investigation to other devices and to Google Wallet, our security researchers found that Android devices actively require users to acknowledge a captive portal, whereas on iOS, acknowledgement is not required. Furthermore they believe that hackers would find it somewhat harder to successfully imitate the card entry pages on Google Wallet due to their greater complexity.
The payments industry needs to look very closely at these social engineering threats and wherever possible, provide consumers with simple guidance to enable them to distinguish between fake and genuine requests for their sensitive information.
There are several precautions that can be taken to protect users from such attacks:

  • Applications that accept credit card details, such as popular taxi services or digital wallets, should investigate methods to positively identify themselves to users when requesting sensitive information. Some online credit card services already do this in the form of personalized security phrases or images.
  • Smartphone operating systems should consider adopting a secure warning when displaying captive portal pages to users, so that users exercise caution.
  • When adding credit card details to an app, users are advised to always go via the app from scratch and to use the camera to capture card details where that capability is available.

Wandera reported the issue to Apple per its responsible disclosure process.

The threat in detail

NB – As the attack method is still viable we have decided not to provide too many relevant details so that iPhone users are not put at any greater risk.
Using common Wi-Fi exploits and an easily available Wi-Fi device, a hacker can have a victim’s iPhone automatically join their malicious network, unbeknownst to the victim.
Since the malicious network does not provide the victim with Internet access, the iPhone will not display the usual Wi-Fi icon in the top left corner. The victim is therefore unaware that they are connected to the hacker’s external Wi-Fi device.
The hacker can then utilise the captive portal functionality on the user’s iPhone (captive portals are a well-recognised part of day-to-day use of connected devices, such as when connecting to legitimate Wi-Fi hotspots at hotels or transport hubs) and inject a fake captive portal page that can be made to look almost identical to the genuine Apple Pay card details entry screen. The fake captive portal page is displayed on top of any app or service without any user interaction.
Any unsuspecting users who enter their card details can have those details (name, card number, expiry and security code) harvested in real time with every keystroke.