Today we will learn about An Examination of the Security Threats Posed to a Mobile Wallet Infrastructure.
Introduction to An Examination of the Security Threats
It is essential to keep in mind that using a mobile wallet involves the entire payment infrastructure, which is prone to many other security issues and vulnerabilities. Our last article began to examine these major components as well as the threats to them.
In this article, we complete a review of the last two components of the mobile wallet infrastructure (as well as the associated security vulnerabilities), as well as an examination of the security weaknesses of the most widely used mobile wallet – Apple Pay.
Security Threats to Mobile Wallet Infrastructure – Cont
The remaining sub-components of the mobile wallet infrastructure include the credit card issuer and mobile payment application providers.
From the perspective of the credit card issuer:
This is the entity that issues and distributes the credit card to the end user. From this point of view, numerous security breaches can occur, which are as follows:
à Threat or potential failure of the payment authorization process:
In fact, this is one of the oldest types of threats that credit card issuers have always looked for. For example, cyber attackers have always tried to compromise central servers where fraud controls have been implemented. One new trend emerging from this is the cyber attacker now attempting to increase credit or spending limits on credit cards that have been authorized for mobile wallet based transactions.
àCapture of real credit card holder information and data:
Like the last threat described, this vulnerability has been around for a long time. As the name suggests, the primary objective here is to capture the credit card holder’s confidential information. This includes not only the actual credit card number itself, but also the cardholder’s social security number. This can be achieved either through covert social engineering tactics and the use of what are known as “Advanced Persistent Threats” or “APT” for short. If this method is used, it is the encryption keys that are primarily intended to decrypt sensitive information and data that resides on the issuer’s central servers.
àPayment Fraud: This occurs when a cyber attacker actually takes possession of an end user’s mobile wallet information and uses it to make an unauthorized transaction, in a manner very similar to actual credit card fraud. While this is more difficult to achieve using token technology (which was also detailed in the first Mobile Wallet article), it is still a prevalent risk as the sophistication of the cyber attacker continues to increase.
From the perspective of mobile app payment providers:
This is the entity that creates the mobile app for the mobile wallet. As mentioned, this is what is downloaded to the end user’s smartphone and the credit number is entered from there. A process is then initiated to confirm the identity of the end user. From this perspective, there are also a number of security threats and vulnerabilities, which include:
à Violation of the user profile:
This type of attack can typically occur during the authentication process as just described. For example, a cyber attacker can register a stolen credit card with Google Wallet or Apple Pay and from there maliciously gain access to the user profile of the real credit card holder and from there manipulate any confidential information of the end user.
àDirect access to token creation services:
As previously described, this is usually outsourced to an independent third party. However, a mobile app payment provider can also implement this service in their own infrastructure if they wish. However, wherever it happens, token creation services are a massive target for a sophisticated cyber attacker. The primary reason is that this is where the cyber attacker manipulates the processes that encrypt and decrypt the tokens, as well as their integrity and availability.
à Traditional DDoS attacks:
It was often thought that a cyber attacker would only hit servers to disable them. However, DDoS attacks can now occur virtually anywhere, even within mobile wallet infrastructure. In this regard, the primary objective is to hit the mobile app payment provider’s servers so that all mobile wallet payments are disrupted and consequently unable to be processed.
Using stolen credit cards:
As the previous article detailed how an end user could sign up for Apple Pay, one big assumption was made: The end user uses their own authorized and verified card, not a stolen credit card. With the sophistication of the Internet, it’s easy to steal credit card numbers, especially if a cyber attacker knows how to get around what’s known as the “dark web.” It has been claimed that stolen credit card numbers can be sold here for up to $2.00 each. So the problem becomes entering the number of the stolen credit card into the iPhone, which is also equipped with the stolen mobile phone number. This was even considered a form of identity theft that was labeled specifically as “Provisioning”. There is no doubt that it is easy for a cyber attacker to enter a stolen credit card number. Although Apple Pay confirms the identity of the end user when they sign in to the iPhone, it does not confirm the identity of the end user when they enter a credit card number. In other words, although the end user is the legitimate owner of the iPhone, they may also “own” the stolen credit card number without being asked when entering the number into Apple Pay. The main reason is that Apple does not validate the credit card number (although it uses encryption and tokens) after it has been processed by Apple Pay; instead, they leave it to the issuing banks to accomplish this task. Although these banks have specialized fraud prevention protocols in place (which basically check for any anomalies), the truth is that the algorithms that formulate the basis of these protocols need to be completely redesigned and fine-tuned to match the ever-increasing sophistication of the cyber attacker. But the critical question is, where exactly in the Apple Pay credit card number confirmation process does this fraudulent activity begin? It occurs when the issuing bank receives the credit card information as well as information relevant to the iTunes account; the general location of the end user and any relevant links to the mobile banking applications that are installed on that iPhone. Due to the outdated security features of issuing banks, a cyber attacker only needs to hijack this information that is transmitted from Apple Pay to the issuing bank. He then needs to get a new iPhone, retrieve the stolen credit card information, and secretly steal the phone number of the person to whom the stolen credit card belongs.
There is no doubt that there are serious security issues when it comes to using a Wi-Fi hotspot offered by a public place. For example, although many require a username and password combination, there is no guarantee that the actual network connection is encrypted. More often than not, this is not the case, and as a result almost any type of malicious, covert activity can be taking place against the end user without them even knowing it. To make matters worse, there is even a problem with fake Wi-Fi hotspots being set up by cyber attackers that make them look legitimate to the end user, such as those from Xfinity, AT&T, Verizon, etc. This release, the rogue hotspot has now begun to lend itself to affecting Apple Pay. For example, researchers from a Cybersecurity firm known as Wandera discovered a serious vulnerability in the iOS operating system that essentially allows a fake Apple Pay page to appear on an iPhone if it is connected to a fraudulent hotspot. The end user is then prompted to enter their credit card information, which of course is intercepted by the cyber attacker to conduct fraudulent mobile wallet-based transactions. It’s important to note that this fake Apple Pay site has its flaws, which means that to the trained eye, you can tell it’s a scam. However, for the average end user, there is a high probability that they will not be able to distinguish whether it is a fake page or the real thing. This is the assumption cyber attackers rely on when they launch these Apple Pay scam sites. Technically, this type of attack is known exactly as a “Captive Portal” attack. This happens when the iPhone tries to connect to any Wi-Fi hotspot (including fake ones) with a known Service Set Identifier (aka “SSID”). They are also broadcast to the public Internet domain, even when not connected to a particular network, using various “Probe Messages”. From this point, a fake Wi-Fi hotspot could initiate what is known as a “Probe Request” to connect to a legitimate network by masquerading as a legitimate hotspot. Once that connection is established, a cyber attacker can deploy a fake Apple Pay page to any iPhone device. In this case, it may not have an Apple Pay page; a cyber attacker can deploy almost any fake page they want to capture credit card information or any other confidential data (such as a username and password combination). A “Captive Portal” attack can occur when an end user is about to complete an Apple Pay transaction. A cyber attacker deploying a fake Apple Pay site could be nearby. Of course, the end user will then be prompted for their credit card details, as they think it’s a normal part of the process to have to re-enter their credit card number, even after entering it the first time in the setup process. However, the truth is that a cyber attacker secretly captures credit card information for their own gain.
In the image above, the legitimate Apple Pay page is on the left and the fake Apple Pay page is on the right.
In summary, our last three articles on mobile wallets have covered the technical details that go into them, as well as the security risks that come with them. In this regard, it is important to note that using a mobile wallet does not only involve using a mobile application and placing an iPhone/Samsung/Windows mobile device at a point of sale terminal.
Instead, it includes the entire infrastructure of a mobile wallet, from the credit issuer to Apple or Google, who created the actual app.
For this reason, multiple intermediary parties are involved to ensure the smooth running of the mobile wallet. However, due to these special components, the security risks become much more significant for this kind of infrastructure, which was also investigated in detail.