Hackers gained access to Apple Pay to carry out fraudulent activities by using users’ logins and passwords from their mobile and internet banking.
They used Kykyryza (Corn) cards to steal money from users’ bank accounts. Corn cards are prepaid payment Mastercards, issued by Svyaznoy/Euroset. It is used by many in Russia to make payments and transfer money. Manufactured by NovaCard, it provides customers with bonus points when used to make purchases. It, as a result, attracts online activity.
Victims of the fraud noticed that shortly after connecting their card to Apple Pay, they received a text message confirming the connection. In the meantime, hackers withdrew funds to a Tele2 number. Hackers attempted to login into Apple Pay with credentials obtained from a social service. Users who used the same credentials for their online banking accounts found money missing from their accounts shortly after. The attack affected 83 cardholders with a total of 2 million rubles (around £24,285) stolen. If authentication controls were in place such as device authentication (also known as endpoint authentication), it would minimize the risk of this happening. Device authentication is becoming more popular as a security mechanism by organizations authenticating their users.
Users alerted Bank.ru to the fraud by sending complaints from the 2nd May. Euroset further noted that the level of failed password attempts into the Corn accounts rose dramatically from the 1st May, indicating when the attacks started.
Euroset’s response to the attacks
Euroset has since resolved the problem, and the affected cardholders have received their money back. It further noted that new controls were since in place to deter further incidents taking place. Actions taken include stepping up monitoring procedures, resetting client passwords and adding two-factor authentication for Apple Pay connections.
It comes at a time when there is a rise in using Apple Pay for fraudulent activities. Assistant United States attorney Marie Dalton mentioned to Forbes in March that the reasons for this include the ability to use Apple Pay and purchase goods because of the weak authorization procedures. Banks need to do more to ensure that security is in place to connect banking cards with Apple Pay.
Let us know your thoughts in the comments section.