Key Post Can a fraudster add my debit card to their Apple Pay?

[Brendan Burgess]

Aren't Apple also arguably culpable here if they are (by default?) automatically taking a security PIN from a text message and submitting it to an app/web form without any user input? That sort of automated behaviour seems to undermine the whole point of such security PINs.

But if you tried to add my card to your wallet, the OTP would be sent to my phone not yours.

So I don't see the problem here - unless you have managed to change the phone number on my Revolut account to send the OTP to you.

 

[Brendan Burgess]

Folks

This is not a general discussion of debit card fraud and security.

It is trying to answer a very specific question

Can someone who has my credit card details add my credit card to their Apple Pay or Google Pay.

It is not about people losing their mobile phone and having their cards compromised.

 

[Brendan Burgess]

Could someone try adding someone else's Revolut card to their phone to see what happens.

Brendan

 

[Freelance]

I tested this per Brendan's request earlier, i.e. setting up one person's Revolut card on another person's iPhone.

Context. I have a Revolut Debit card (Virtual) and this is installed in the ApplePay Wallet on my iPhone. My partner also has Revolut Debit card (Virtual) and this is installed in the ApplePay Wallet on their iPhone.

I removed my Revolut Debit card (Virtual) from the ApplePay Wallet on my iPhone.
I opened the ApplePay Wallet on my partner's iPhone and attempted to add my card manually, entering the card number, expiry date and cvv. A message was displayed after 10 seconds: "Your Issuer Does Not Yet Offer Support for This Card - Learn more about currently supported cards, or ask your issuer if they offer cards that support Apple Pay"

I then attempted to add my Revolut Debit card (Virtual) to the ApplePay Wallet on my iPhone, manually
I opened the ApplePay Wallet on my iPhone and attempted to add my card manually, entering the card number, expiry date and cvv. A message was displayed after 10 seconds: "Your Issuer Does Not Yet Offer Support for This Card - Learn more about currently supported cards, or ask your issuer if they offer cards that support Apple Pay"

I then opened the Revolut App on my iPhone, tapped on my Revolut Debit card (Virtual) and clicked on "Add to Apple Wallet"
Card details were pre entered so I clicked on Next
T&Cs were displayed and I clicked on Accept
Card was successfully added and a message asking if I wanted to set it as the default in the wallet was displayed
No SMS or other visible TFA/MFA activity took place.

Conclusions:

• In an iPhone/ApplePay context, a Revolut Debit card (Virtual) can only be aded to ApplePay using the Revolut App, which obviously means that the Revolut App needs to be installed on the iPhone and the card user's credentials validated.
• I do not have a physical Revolut Debit card, so I cannot say whether or not the same rules apply to the physical card. Similarly, I do not have an Android phone and I do not use Google Pay so cannot test these.
• For a third party to install my Revolut Debit card (Virtual) on their ApplePay/iPhone, they would have to install the App and log-in using my credentials. This would obviously work, but would require them to have the credentials necessary to access my Revolut account in addition to my card details, i.e. RevTag, Passcode and Debit Card number, expiry date and cvv.
• It would appear that the security approach taken by Revolut in relation to adding cards to the Apple Wallet is to insist that the process is initiated form within the Revolut App, whereas other banks and card providers use TFA/MFA.

 

[Brendan Burgess]

Freelance

That is great work. Do neither of you have a physical debit card to check?

I have a physical debit card from Revolut which is the one in my Apple Wallet.

I might remove it and add it again to test it.

Brendan

 

[Freelance]

Hi Brendan.

No, neither of us have physical Revolut cards (See note below)

If you do remove your physical Revolut card from your Apple Wallet, first try adding it back using the manual process (i.e. go into Wallet, select + to add to Wallet and ignore the camera thing and select "Enter Card Details Manually" and see if this works as this is what a fraudster would do with the minimum details available to her.

Note: We use a joint Revolut a/c for utilities and routine household expenses which we top up weekly. And use solo Revolut accounts sparsely (so mainly used for nieces and nephews birthdays, splitting restauraunt expenses etc.) - we are both very reluctant to keep funds in Revolut accounts.
I rarely use physical cards anyway, most of my in person transactions are done using Apple Pay on my Apple Watch and iPhone from a number of credit and debit card accounts - I have more confidence in this technology than physical cards. It's for another thread, but from a security and service perspective where cards are concerned, I would rate N26 well ahead of Revolut, AIB, BOI and the rest.

 

[Brendan Burgess]

OK, so I deleted my Revolut card from my wallet and added it again.

1) Settings/ Wallet & Apple Pay/Add Card
2) I got a choice of previous cards or debit or Credit Card or "From Apps on you iPhone : Revolut"
3) I clicked Debit or Credit Card
4) A camera opened up and I pointed it at my card and it took in the data
5) I had to enter my CVV manually.
6) It then said "connecting with your card issuer"
7) It then said "Choose how to verify your card for Apple Pay"

I didn't get any other choice so clicked on Next.

8) I got a text from Revolut as follows:

9) I went into Revolut and got this

10) Went back to the wallet and added the code.

 

[Brendan Burgess]

So a scammer would need access to my phone? I presume physically. But maybe they can access it remotely if they have compromised it?

 

[andrew2000ad]

So a scammer would need access to my phone? I presume physically. But maybe they can access it remotely if they have compromised it?

That Revolut implementation looks relatively secure. Using the app like above they avoid potential SMS interception or phone cloning.

It's possible your phone could be remotely accessed - Malware particularly on Android is possible - but more along the lines generally of keyloggers and screen recording.
I don't think there are any likely vulnerabilities that would let an attacker remotely open the Revolut app - if that existed it wouldn't be wasted on hacking small Revolut accounts. That's too valuable an exploit. There's I think an element of probability of it actually happening versus is it possible - a lot of things are possible in theory, but too difficult for attackers in practice.

 

[andrew2000ad]

That Revolut implementation looks relatively secure. Using the app like above they avoid potential SMS interception or phone cloning.

It's possible your phone could be remotely accessed - Malware particularly on Android is possible - but more along the lines generally of keyloggers and screen recording.
I don't think there are any likely vulnerabilities that would let an attacker remotely open the Revolut app - if that existed it wouldn't be wasted on hacking small Revolut accounts. That's too valuable an exploit. There's I think an element of probability of it actually happening versus is it possible - a lot of things are possible in theory, but too difficult for attackers in practice.

On Android just now I got the SMS option with code sent.
Identical steps to yourself Brendan, apart from Android and Google Wallet.

Revolut might be using some heuristics to detect suspicious patterns or other logic to decide if and when a code is sent versus the App must be used.

 

[Brendan Burgess]

It would be very hard to inadvertently allow your Revolut card to be added to someone else's Apple Pay.

Let's say Andrew that I want to add your Revolut card to my Apple Pay and I am very persuasive.

I get your card details and phone number from a transaction you did.
I set the card up on my phone.
Now I need the code.
I call you pretending to be from Revolut telling you that your card has been compromised. I want to help you to secure your card. I will send you a code and then ask you to give it to me over the phone.

This seems very far fetched. None of the people who have reported having their Revolut accounts cleaned out overnight have reported giving their information to a caller. Maybe they did and are not making a full disclosure?

 

[andrew2000ad]

It would be very hard to inadvertently allow your Revolut card to be added to someone else's Apple Pay.

Let's say Andrew that I want to add your Revolut card to my Apple Pay and I am very persuasive.

I get your card details and phone number from a transaction you did.
I set the card up on my phone.
Now I need the code.
I call you pretending to be from Revolut telling you that your card has been compromised. I want to help you to secure your card. I will send you a code and then ask you to give it to me over the phone.

This seems very far fetched. None of the people who have reported having their Revolut accounts cleaned out overnight have reported giving their information to a caller. Maybe they did and are not making a full disclosure?

Yes very far fetched going on what victims are describing.

Whatever is happening here there should be a trail that can explain what happened. Revolut will know if they've invesigated, Google/Apple will potentially know part of the puzzle. They are unlikely to disclose what they know without a good reason - support staff won't necessarily know.

There could and usually are a mix of things happening, but i doubt sophisticated attacks are the majority, the simpler explanation is the more likely even if it is embarrassing.

 

[Brendan Burgess]

I put in a call to Revolut last week and they said they would call me back this week, but they have not done so.

I don't expect them to discuss any individual's case, but I would hope that they would tell me what the pattern is. What are people doing to facilitate the scammers. Are they calling out a code over the phone when paying a bill, for example.

 

[Innisfree]

People are just far less suspicious than you think. And there's a survivorship bias of a sort here too - we only hear the stories of those that were compromised, not the vast majority that weren't.

If a financially/technologically naive user is just after supplying card number, expiry, and CVV to someone, to make a payment or reservation, and they are told they need "an authorisation code" too - how many out of 1000 would not read the detail of the message from revolut, or not understand its implications, and hand over the code?

It only takes one for Conor Pope to have another article.

The far less likely scenario is that there's some fundamental technical flaw in the mechanism for adding cards. This would be widely exploited and discussed / fixed by now if there was.

 

[Connard]

That Revolut implementation looks relatively secure. Using the app like above they avoid potential SMS interception or phone cloning.

It's possible your phone could be remotely accessed - Malware particularly on Android is possible - but more along the lines generally of keyloggers and screen recording.
I don't think there are any likely vulnerabilities that would let an attacker remotely open the Revolut app - if that existed it wouldn't be wasted on hacking small Revolut accounts. That's too valuable an exploit. There's I think an element of probability of it actually happening versus is it possible - a lot of things are possible in theory, but too difficult for attackers in practice.

If they had someone way of accessing the person's Revolut app why would they even bother adding the card to Apple Pay or Google Wallet. They can just transfer all the money out anyway.

 

[elcato]

If they had someone way of accessing the person's Revolut app why would they even bother adding the card to Apple Pay or Google Wallet. They can just transfer all the money out anyway.

I think if you try anything more than €150, they'll flag and possibly send a text, not sure though.