mm

Written By

W. Scott Montgomery

mm

 

Written By

W. Scott Montgomery

Share

Subscribe

Stay up-to-date with OST blog posts.

February 2, 2015

Over the years, credit card fraud has been on the increase, partly because the technology to duplicate and “skim” credit cards has become affordable and easy to obtain.

Stolen credit cards and credit card information (Cardholder Name, Card Number, Expiration Date and CVV Code) can easily be transferred to a blank card that becomes usable. The process to purchase this information is readily available via underground web sites. Hackers and thieves buy this information “around the clock”. The information usually comes from computer system breaches and other criminal sources. And it’s BIG business.

Credit Card technology has been changing at a slow pace, even with the increase in fraudulent transactions. I’m not going to discuss all the changes that have taken place, there is no time for this; however we do have some very interesting new developments.

Apple’s rollout of Apple Pay is one of these new developments.

Apple Pay uses a technology called Near Field Communication (NFC).  This is a short-range wireless point to point technology.  When this communication technology is used in conjunction with a Smartphone (Apple iPhone) credit card transaction security can be dramatically increased.

One of the security improvements is that the iPhone owner must provide a fingerprint or phone PIN number to complete the transaction.  In addition, no actual credit card information is stored on the iPhone or on an Apple system.

For the legitimate owner of the credit card and iPhone this is awesome.  But we do have some potential drawbacks that are now coming to light.  Remember in the beginning of this article we discussed the ease of which credit cards can be duplicated or skimmed?  For all intents and purposes, this is what the iPhone can become if used for illegal purposes…. a sophisticated credit card skimming device.

To add a legitimate credit card to the Apple Pay services, you simply take a picture of the card with the phones camera and or enter the credit card information from the card itself.  If you own the card this makes using the service easy to setup.  But think of this from a hacker’s perspective.  There is no way to guarantee that the card entered is actually owned by the person that is entering the information.

Picture this…. you just finished a wonderful dining experience and are ready to pay your bill.  The waitress brings over the bill and you slide your card into the black folder.  She walks past and picks up the folder, heading to the register.  What happens if she takes out her iPhone and adds your credit card to her iPhone?

This is not a negative comment on the Apple Pay services.  I’m a big fan and believe that Apple Pay will go a long way to prevent credit card fraud of legitimate cards used by the service.  The big issue here is, as a consumer, you need to keep your actual card from falling into the wrong hands, even for a few minutes.  Honestly, I look forward to more retailers accepting Apple Pay.  I use it whenever I can.

Update I

We have noticed that partner banks, working with Apple Pay, have been increasing their verification services to authorize credit cards to use Apple Pay.  I experienced this first hand within the last hour.  Several months ago I added one of my credit cards (from PNC) to Apple Pay.  I don’t believe I had any additional verification requirement other than to take a picture of the card from my iPhone.  Today I removed that card and attempted to re-add it to the Apple Pay service.  I manually entered the card information and was immediately prompted to call a PNC toll free number to verify the cardholder information.  The PNC representative kindly greeted me and requested my full name and either my PNC account number or social security number (step 1).  I was then asked to provide information on two transactions from the credit card that I was using.  I quickly jumped online, logged into my account and provided the representative with the information they were looking for (step 2).  I was then asked for the card number (step 3).  Looking back at my iPhone, I received a message in Apple Pay that said “PNC Bank Debit Card” is ready for Apple Pay.  Success!

Although I can now say, first hand, that PNC requires a verification process, we are hearing that that is not the case with all partner financial organizations.  As I learn about how other partners have (or haven’t) implemented verification I’ll keep you posted.

Update II

We’ve confirmed that Chase requires the cardholder to select one of three methods (depending on what Chase has on file).  The cardholder may either call Chase for verification or receive a confirmation PIN via email or text message.

Share

Subscribe

Stay up-to-date with OST blog posts.

About the Author

Scott Montgomery joined OST in the spring of 2009 as the Manager of the OST Security Practice. Scott comes to OST with over 25 years of IT and IT Security related experience. Within the last ten years, Scott has personally performed more than 1000 Security Assessments for several hundred organizations. Using a proprietary and unique assessment approach, developed by Scott and used since 1998, the OST Security Team has the ability to gather, analyze and assess the security of any organization. The Montgomery Method ™ guarantees comprehensive security results for even the most complex of computing environments.

Scott has a Degree in Computer Information Service from Ferris State University. Scott’s articles and quotes often appear in trade publications and he is regularly invited to speak publicly about Computer Security, Identify Theft and Technology Trends.