The personal banking details of Apple Pay users could be compromised by fraudsters using equipment that is easy to get hold of and costs less than £65.
The potential social engineering attack was created in a lab by security supplier Wandera, which revealed the method that enables hackers to create a fake page that pops up on a user’s phone requesting details, including the security code.
Wandera said a hacker can have a victim’s iPhone automatically join their malicious network, unknown to the victim, by using common Wi-Fi exploits and an easily available Wi-Fi device. Because the attack method is still viable, the firm has not provided too much detail.
“Since the malicious network does not provide the victim with internet access, the iPhone will not display the usual Wi-Fi icon in the top-left corner. The victim is therefore unaware that they are connected to the hacker’s external Wi-Fi device," said Wandera.
The hacker can then use the captive portal functionality – a well-recognised part of everyday use of a connected device, such as when connecting to legitimate Wi-Fi hotspots at hotels or transport hubs – on the user’s iPhone and inject a fake captive portal page that can be made to look almost identical to the genuine Apple Pay card details entry screen.
According to Wandera, the fake captive portal page is displayed on top of any app or service without any user interaction. Users that enter card details can have those details harvested in real time with every keystroke.
“As Apple Pay is a relatively new technology, users – whether they are consumers shopping at department stores or enterprise employees paying at restaurants – aren’t yet completely familiar with the experience. This makes it more difficult for them to spot the difference between a fake card entry page and the genuine one,” said Wandera CEO Eldar Tuvey.
Read more about Apple Pay
“Hackers can take advantage of users’ trust in their phones – making this a social engineering threat rather than an information security one. In this type of attack, only users’ ability to spot tiny differences can protect them.”
Apple Pay is a prime target for hackers because of its popularity and high adoption rates, said Tuvey. “In high footfall locations, even a very small ratio of success will yield a large number of valuable credit card numbers," he said.
"It’s all so easy for them. Using readily available technology, which they may be discretely carrying about their person, hackers can for the first time focus their efforts where their victims are at their most susceptible – at the checkout.”
However, Android devices do not have the same problem, added Tuvey. “When we widened our investigation to other devices and to Google Wallet, our security researchers found that Android devices actively require users to acknowledge a captive portal, whereas on iOS, acknowledgement is not required," he said.
"Furthermore, they believe that hackers would find it somewhat harder to successfully imitate the card entry pages on Google Wallet due to their greater complexity.”