Fraudsters target Apple Pay in credit card scams

Posted:
in iOS
Criminals using stolen credit card details are reportedly linking them to contactless payment systems such as Apple Pay, before spending thousands of dollars through them.

Image Credit: Apple
Image Credit: Apple


There have been cases before of thieves using a burner iPhone and Apple Pay to spend on stolen credit cards. But now a new report quotes one fraudster as describing Apple Pay as the "easiest way" to make money.

According to Vice, Apple Pay and other systems are discussed on Telegram channels typically used by criminals.

These fraudsters are reportedly now using a recently developed hacking tool. Bots automatically place phone calls to victims, who are then in some unspecified way manipulated into handing over their multi-factor authentication codes.

The bots are then used to link the stolen credit cards to contactless systems. This is the "easiest way to make profit using bot," an administrator for the Yahooze OTP bot posted on Telegram.

Read on AppleInsider
«1

Comments

  • Reply 1 of 22
    lkrupplkrupp Posts: 10,557member
    As always the weakest link in security is between the ears of the idiots who gladly hand over their credentials to anyone who calls them with an offer too good to be true. And there’s no patch for stupid.
    iOS_Guy80fred1ravnorodommaximarageorgie01watto_cobrajony0
  • Reply 2 of 22
    mike1mike1 Posts: 3,275member

    Bots automatically place phone calls to victims, who are then in some unspecified way manipulated into handing over their multi-factor authentication codes.



    lkruppiOS_Guy80flyingdpviclauyycravnorodomwatto_cobrajony0
  • Reply 3 of 22
    lkrupp said:
    As always the weakest link in security is between the ears of the idiots who gladly hand over their credentials to anyone who calls them with an offer too good to be true. And there’s no patch for stupid.
    These automated scams are getting really sophisticated though. Here is one that ALMOST got me.

    Caller ID displayed the name and phone number of my actual bank (which I googled).

    Automated message in perfect English:
    "We recently got a purchase request which we blocked the transaction. If you made this purchase, please press 1. If you didn't make this purchase press 2."

    Then when you hit a number (which I selected #2):
    "Thank you, please enter you ATM card number for verification"

    It keep repeating the message to enter the card number. This is where I was like wait a minute and hung up. The automated call kept calling back every minute for the next hour.

     I called my bank to make sure there weren't any transactions attempts and they said no, so I notified them of the scam.

    A week later, I get another call from a different bank (which I don't have) called me and had the same message (I let it go to voice mail).
    edited April 2022 viclauyycravnorodomCalamanderwatto_cobrajony0
  • Reply 4 of 22
    rivertriprivertrip Posts: 142member
    lkrupp said:
    As always the weakest link in security is between the ears of the idiots who gladly hand over their credentials to anyone who calls them with an offer too good to be true. And there’s no patch for stupid.
    These automated scams are getting really sophisticated though. Here is one that ALMOST got me.

    Caller ID displayed the name and phone number of my actual bank (which I googled).

    Automated message in perfect English:
    "We recently got a purchase request which we blocked the transaction. If you made this purchase, please press 1. If you didn't make this purchase press 2."

    Then when you hit a number (which I selected #2):
    "Thank you, please enter you ATM card number for verification"

    It keep repeating the message to enter the card number. This is where I was like wait a minute and hung up. The automated call kept calling back every minute for the next hour.

     I called my bank to make sure there weren't any transactions attempts and they said no, so I notified them of the scam.

    A week later, I get another call from a different bank (which I don't have) called me and had the same message (I let it go to voice mail).
    I hope "perfect English" was sarcastic.
    flyingdpdope_ahmineravnorodomwatto_cobrajony0
  • Reply 5 of 22
    rivertrip said:
    I hope "perfect English" was sarcastic.

    Okay, how about non-robotic sounding and no accent?
    slow n easymuthuk_vanalingamwatto_cobrajony0
  • Reply 6 of 22
    rivertrip said:
    lkrupp said:
    As always the weakest link in security is between the ears of the idiots who gladly hand over their credentials to anyone who calls them with an offer too good to be true. And there’s no patch for stupid.
    These automated scams are getting really sophisticated though. Here is one that ALMOST got me.

    Caller ID displayed the name and phone number of my actual bank (which I googled).

    Automated message in perfect English:
    "We recently got a purchase request which we blocked the transaction. If you made this purchase, please press 1. If you didn't make this purchase press 2."

    Then when you hit a number (which I selected #2):
    "Thank you, please enter you ATM card number for verification"

    It keep repeating the message to enter the card number. This is where I was like wait a minute and hung up. The automated call kept calling back every minute for the next hour.

     I called my bank to make sure there weren't any transactions attempts and they said no, so I notified them of the scam.

    A week later, I get another call from a different bank (which I don't have) called me and had the same message (I let it go to voice mail).
    I hope "perfect English" was sarcastic.
    Agree about the ”perfect” English. Also, was it a message or a phone call? The story seems to go in two directions here.
    edited April 2022 viclauyycwatto_cobra
  • Reply 7 of 22
    Agree about the ”perfect” English. Also, was it a message or a phone call? The story seems to go in two directions here.
    Boy, you all are nitpicky. Trying to give a headup on a more sophisticated scam. I hope that helps someone. 

    It was a robocall, so I wasn't talking to a real person. Since I wasn't talking to a real person, I used the word message to convey what was being said. It seemed pretty legitimate except for when kept repeating to enter my card number. Maybe if they spaced out the timing like every 10 seconds, it would get more people.
    dewmeviclauyycravnorodommuthuk_vanalingamwatto_cobra
  • Reply 8 of 22
    viclauyycviclauyyc Posts: 849member
    Agree about the ”perfect” English. Also, was it a message or a phone call? The story seems to go in two directions here.
    Boy, you all are nitpicky. Trying to give a headup on a more sophisticated scam. I hope that helps someone. 

    It was a robocall, so I wasn't talking to a real person. Since I wasn't talking to a real person, I used the word message to convey what was being said. It seemed pretty legitimate except for when kept repeating to enter my card number. Maybe if they spaced out the timing like every 10 seconds, it would get more people.
    I got similar thing from Canada too. Both text and voice message. Since I only got very few call a day, mostly from people I know, so it is rather easy for me to figure out spam call. 
    watto_cobra
  • Reply 9 of 22
    Hank2.0Hank2.0 Posts: 151member
    lkrupp said:
    As always the weakest link in security is between the ears of the idiots who gladly hand over their credentials to anyone who calls them with an offer too good to be true. And there’s no patch for stupid.
    Not to mention those corporate idiots who fail to encrypt customer information and leave themselves open to hackers  :#
    watto_cobrajony0
  • Reply 10 of 22
    Good lord. These whole thing defeats the purpose of having multi-factor authentication codes.
    watto_cobra
  • Reply 11 of 22
    Agree about the ”perfect” English. Also, was it a message or a phone call? The story seems to go in two directions here.
    Boy, you all are nitpicky. Trying to give a headup on a more sophisticated scam. I hope that helps someone. 

    It was a robocall, so I wasn't talking to a real person. Since I wasn't talking to a real person, I used the word message to convey what was being said. It seemed pretty legitimate except for when kept repeating to enter my card number. Maybe if they spaced out the timing like every 10 seconds, it would get more people.
    I totally understood what you meant by "automated message in perfect English". I thought what you wrote was perfectly clear.
    muthuk_vanalingamwatto_cobrajony0
  • Reply 12 of 22
    tommikeletommikele Posts: 599member
    "Bots automatically place phone calls to victims, who are then in some unspecified way manipulated into handing over their multi-factor authentication codes."

    If you are duped into doing that, you deserve to separated from your 
    money.
    watto_cobra
  • Reply 13 of 22
    lkrupp said:
    As always the weakest link in security is between the ears of the idiots who gladly hand over their credentials to anyone who calls them with an offer too good to be true. And there’s no patch for stupid.
    So you’re saying I didn’t:
    • Get approved for a new blood checker
    • Get a new warranty for my car
    • Get approved for a week long hotel?
    • Lose an Amazon/UPS/FEDEX package?
    • Get a legitimate offer for a Medicare card?  (About 30 years from now I might)
    My grandfather is getting scammed by a live person.  At least he can see the enemy.

    watto_cobra
  • Reply 14 of 22
    The bots might do the dialing, but it may be a living person who speaks with you, and falling for a scam doesn't mean you're stupid. I didn't fall victim, but the guy who called me was very good, VERY convincing. I got 10 calls two days ago from 3 actual Wells Fargo numbers. It may sound like simple phishing, but one of the numbers was from my Wells Fargo home branch in Los Angeles. My business VISA card (which he had the info of) I use only in Las Vegas, where my residence and billing address are my Nevada business office - yet this scammer knew to spoof my home branch phone number, a small, very specific branch, where there are hundreds of Wells branches between it and my credit card billing address. That was not random luck. Of course, I knew WF would never call so many times in a row, so I answered one just to hear if it was a bot or a living person. I heard his voice and hung up. Over the next 2 days I got 20 more calls, until I had everything set up and ready to "talk" to this guy. When I answered, he said it was Wells Fargo fraud protection calling to see if I made several purchases from Best Buy. As I said, this particular credit card is only for my Vegas business, and I only have ever used it at Best Buy, nowhere else, ever. Another lucky guess on his part? I told him I didn't make the charges, and now it was time for the 6-digit code verification bit. When the code came in from ApplePay, I asked him why the text read ApplePay, he quickly said, "our computers have been glitching all day, we are aware of it and have technicians working to solve the issue." While I was rambling to keep him on the phone, I managed to get his name and phone number from his bogus ApplePay account just before I shut down my credit card (I'm just as good as any scammer, but I run an honest business!). My point is, somehow this guy knew way more than a garden variety scammer. If he had lucked out and caught me at a time when I was very busy, he could have easily nailed me with his scam. He's been reported to multiple agencies. I'll admit, as far as scams go, this was on-point....just not good enough!
    muthuk_vanalingamgeorgie01watto_cobrajony0
  • Reply 15 of 22
    maximaramaximara Posts: 409member
    rivertrip said:
    lkrupp said:
    As always the weakest link in security is between the ears of the idiots who gladly hand over their credentials to anyone who calls them with an offer too good to be true. And there’s no patch for stupid.
    These automated scams are getting really sophisticated though. Here is one that ALMOST got me.

    Caller ID displayed the name and phone number of my actual bank (which I googled).

    Automated message in perfect English:
    "We recently got a purchase request which we blocked the transaction. If you made this purchase, please press 1. If you didn't make this purchase press 2."

    Then when you hit a number (which I selected #2):
    "Thank you, please enter you ATM card number for verification"

    It keep repeating the message to enter the card number. This is where I was like wait a minute and hung up. The automated call kept calling back every minute for the next hour.

     I called my bank to make sure there weren't any transactions attempts and they said no, so I notified them of the scam.

    A week later, I get another call from a different bank (which I don't have) called me and had the same message (I let it go to voice mail).
    I hope "perfect English" was sarcastic.
    Likely not.  BEST TEXT TO SPEECH SOFTWARE FOR YOUTUBE Completely FREE shows just how sophisticated text to speech software has become.  And if the free stuff can do that imagine what commercial grade software can achieve.
    edited April 2022 watto_cobra
  • Reply 16 of 22
    XedXed Posts: 2,519member
    lkrupp said:
    As always the weakest link in security is between the ears of the idiots who gladly hand over their credentials to anyone who calls them with an offer too good to be true. And there’s no patch for stupid.
    These automated scams are getting really sophisticated though. Here is one that ALMOST got me.

    Caller ID displayed the name and phone number of my actual bank (which I googled).

    Automated message in perfect English:
    "We recently got a purchase request which we blocked the transaction. If you made this purchase, please press 1. If you didn't make this purchase press 2."

    Then when you hit a number (which I selected #2):
    "Thank you, please enter you ATM card number for verification"

    It keep repeating the message to enter the card number. This is where I was like wait a minute and hung up. The automated call kept calling back every minute for the next hour.

     I called my bank to make sure there weren't any transactions attempts and they said no, so I notified them of the scam.

    A week later, I get another call from a different bank (which I don't have) called me and had the same message (I let it go to voice mail).
    Good you caught yourself and called the bank. I always tell people to call them yourself. The bank is on the card or other info, but I also keep detailed contact info in my password manager for each card and login.
    watto_cobra
  • Reply 17 of 22
    XedXed Posts: 2,519member
    Dabambino said:
    The bots might do the dialing, but it may be a living person who speaks with you, and falling for a scam doesn't mean you're stupid. I didn't fall victim, but the guy who called me was very good, VERY convincing. I got 10 calls two days ago from 3 actual Wells Fargo numbers. It may sound like simple phishing, but one of the numbers was from my Wells Fargo home branch in Los Angeles. My business VISA card (which he had the info of) I use only in Las Vegas, where my residence and billing address are my Nevada business office - yet this scammer knew to spoof my home branch phone number, a small, very specific branch, where there are hundreds of Wells branches between it and my credit card billing address. That was not random luck. Of course, I knew WF would never call so many times in a row, so I answered one just to hear if it was a bot or a living person. I heard his voice and hung up. Over the next 2 days I got 20 more calls, until I had everything set up and ready to "talk" to this guy. When I answered, he said it was Wells Fargo fraud protection calling to see if I made several purchases from Best Buy. As I said, this particular credit card is only for my Vegas business, and I only have ever used it at Best Buy, nowhere else, ever. Another lucky guess on his part? I told him I didn't make the charges, and now it was time for the 6-digit code verification bit. When the code came in from ApplePay, I asked him why the text read ApplePay, he quickly said, "our computers have been glitching all day, we are aware of it and have technicians working to solve the issue." While I was rambling to keep him on the phone, I managed to get his name and phone number from his bogus ApplePay account just before I shut down my credit card (I'm just as good as any scammer, but I run an honest business!). My point is, somehow this guy knew way more than a garden variety scammer. If he had lucked out and caught me at a time when I was very busy, he could have easily nailed me with his scam. He's been reported to multiple agencies. I'll admit, as far as scams go, this was on-point....just not good enough!
    Welcome, but paragraphs are good for making text to humans easier to read. If you meant your block of text to be meant by a bot, well, then ignore my comment.

    As for a living person, that can be more complex. While fully-automated AI is expensive and difficult, it's not difficult and very inexpensive to use live people. The problem that arises is that a live person in another country may understand English very well—save for certain idioms and culture-related terms—but have a thick accent. The way around this is to use a grid controller with the most common, canned responses that either a "non"-accented English speaker or a tweeked automated service has supplied. This eliminates a large hole of the scam without adding much cost and with every attempt to scam someone they can tweek the placement of responses on the board and what the responses are.

    I didn't read the rest of our your statement.
    watto_cobra
  • Reply 18 of 22
    croprcropr Posts: 1,122member
    A few years ago I was working as a fraud consultant in a bank. When the bank started to accept Apple Pay,  we saw a serious increase in fraud attempts.  A lot of the victims we contacted, said they were less concerned about fraud because "Apple Pay was 100% secure".    

    When we explained that in terms of fraud there was no difference between a transaction originated from a  chip based bank card  and a Apple Pay transaction   (both use the same protocol ), they were surprised.

    Apparently the Apple marketing about security had the negative side-effect the victims being more negligent.
    edited April 2022 muthuk_vanalingam
  • Reply 19 of 22
    lkrupp said:
    As always the weakest link in security is between the ears of the idiots who gladly hand over their credentials to anyone who calls them with an offer too good to be true. And there’s no patch for stupid.
    These automated scams are getting really sophisticated though. Here is one that ALMOST got me.

    Caller ID displayed the name and phone number of my actual bank (which I googled).

    Automated message in perfect English:
    "We recently got a purchase request which we blocked the transaction. If you made this purchase, please press 1. If you didn't make this purchase press 2."

    Then when you hit a number (which I selected #2):
    "Thank you, please enter you ATM card number for verification"

    It keep repeating the message to enter the card number. This is where I was like wait a minute and hung up. The automated call kept calling back every minute for the next hour.

     I called my bank to make sure there weren't any transactions attempts and they said no, so I notified them of the scam.

    A week later, I get another call from a different bank (which I don't have) called me and had the same message (I let it go to voice mail).
    I can see how that would get a lot of people - I would be willing to bet the conversion rate on that is > 30%

    We have to enter our card numbers all the time over the phone - we're basically trained to do it (by the banks). 
    muthuk_vanalingamwatto_cobra
  • Reply 20 of 22
    maximaramaximara Posts: 409member
    lkrupp said:
    As always the weakest link in security is between the ears of the idiots who gladly hand over their credentials to anyone who calls them with an offer too good to be true. And there’s no patch for stupid.
    These automated scams are getting really sophisticated though. Here is one that ALMOST got me.

    Caller ID displayed the name and phone number of my actual bank (which I googled).

    Automated message in perfect English:
    "We recently got a purchase request which we blocked the transaction. If you made this purchase, please press 1. If you didn't make this purchase press 2."

    Then when you hit a number (which I selected #2):
    "Thank you, please enter you ATM card number for verification"

    It keep repeating the message to enter the card number. This is where I was like wait a minute and hung up. The automated call kept calling back every minute for the next hour.

     I called my bank to make sure there weren't any transactions attempts and they said no, so I notified them of the scam.

    A week later, I get another call from a different bank (which I don't have) called me and had the same message (I let it go to voice mail).
    The "please enter you ATM card number for verification" was the tip off.  No bank will request that information. That should send up a red flag faster than a 35 car pile up at the Indianapolis 500.  In fact, as demonstrated by an experience my parents had banks will just freeze your card until you contact them if they detect strange activity on the account.  My late mother went through law school and I seek out and read laws to make sure I am well informed.

    Had some clown trying to claim they were the IRS and I asked them 'what provision of 5.1.10 Taxpayer Contacts' are you using?  They hung up right then and there.

    Another tried to claim they were the local police (even spoofed their number) and claimed they were going to arrest me unless I paid them.  I pointed out that no real cop would call regarding a possible crime for fear any evidence would be destroyed and that I was invoking the federal False Claims Act which gave me the authority to sue on behalf of the federal government and would be hitting them with extortion charges and posing as a police officer.  They hung up.  

    Related to credit cards.  My mother was in surgery in Houston when it got flooded (result of Allison IIRC) and we were stuck there for a month.  My father's credit card was near maxed out so I used mine at a parking garage.  Six months later a charge for prepaid phone cards appeared on my credit card statement from Houston.  I called the bank and had the charge expunged but it shows why these 1 year of protection for errors by the company that let your CC number out in the wild are useless.  The smarter thieves will wait a while before starting to charge stuff and the real smart ones will wait longer than a year.
    edited April 2022 watto_cobra
Sign In or Register to comment.