Cybercriminals Could Use iOS Vulnerability To Hack Apple Pay

Apple’s new mobile payment service has suffered another hit with the uncovering of a possible security threat that could open users up to having their payment details stolen.

Researchers from mobile threat prevention firm Wandera have found that kits costing less than $100 could allow criminals to steal card details by luring them into malicious Wi-Fi networks.

Upon joining the Wi-Fi network, users are confronted by a fake portal page set up by the hackers that mirrors the enrolment to Apple Pay, and is then used to harvest card details for nefarious purposes.

Under threat?

“As Apple Pay is a relatively new technology, users – whether they are consumers shopping at department stores or enterprise employees paying at restaurants – aren’t yet completely familiar with the experience. This makes it more difficult for them to spot the difference between a fake card entry page and the genuine one,” says Eldar Tuvey, CEO of Wandera.

“Hackers can take advantage of users’ trust in their phones – making this a social engineering threat rather than an information security one. In this type of attack, only users’ ability to spot tiny differences can protect them.”

The company, which has reported its findings to Apple, is recommending that apps that accept credit card details, such as popular taxi services or digital wallets, should now investigate methods to positively identify themselves to users when requesting sensitive information, much like how some online credit card services already do in the form of personalised security phrases or images.

Wandera is also advising users looking to add credit card details to an app to always go via the app from scratch and to use the camera to capture card details where that capability is available.

“The payments industry needs to look very closely at these social engineering threats and wherever possible, provide consumers with simple guidance to enable them to distinguish between fake and genuine requests for their sensitive information,” Tuvey added.

The news is another blow for Apple Pay following a survey released today showing that only a small proportion of leading retailers are planning to support the system.

Speaking to a hundred top merchants in the US, the only market where Apple Pay is currently available, a Reuters survey found that around two-thirds would not be providing the system any time in 2015.

Of the companies who responded, less than a quarter said they currently accepted Apple Pay, and only four more said they planned to offer it in 2016.

All clued up on mobile payments? Try our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

View Comments

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago