Key Post Security adding credit card to apple pay on your own phone

K

kickstart

Registered User
Messages
126
I recently had a suspected (non apple-pay related) fraudulent transaction on my AIB credit card, which prompted an automated text from AIB asking me to text 1 (confirm) or 9 (deny). When I texted 9 back to AIB, they quite reasonably cancelled the card, and issued me a brand new one (new number, new CVV, same old expiry alas).

While I was waiting for the new card to show up in the post, I decided to add my Avant Credit card to Apple Pay. It was disarmingly straightforward - I initiated the Add on my phone, and I got a message on the phone saying it had been completed, and if this wasn't me to contact Avant immediately.

When I got my re-issued AIB card, I added it. Much the same process, but I had to go through a second step - I had to follow a 'Verify' step on my phone, which solicited a text message with a code in it from some source (I don't know if it's from AIB or Apple, because it is no longer visible anywhere), which my phone intercepted before I saw it (standard iPhone practice for many codes like this), and then it confirmed the card had been added to Apple Pay.

I'm in two minds about all this. It would be great if there was a proper MFA approach being enforced by Apple Pay, and not leaving it to each Credit Card Issuer to decide. That said, the MFA step they are currently permitting is trivial to bypass - a code to the same phone being used to initiate the process is not really MFA, and indeed the IT Security community has a lot to say about how insecure SMS based MFA is anyway.

If someone malicious has access to your phone, and if you tend to reuse PINs, you are properly hosed. I think using fingerprint or face-id is a great idea, as it means you don't routinely use PINs, so shoulder surfing thieves won't get far with a snatched device. I'm still not particularly comfortable about banks using the phone as an MFA factor given it's now the default platform for many people to do most banking.
 
Yeah, while paying with Apple or Google Pay might be more secure than the alternative, the technical and social quirks with adding a card leave a bit of a gap.

I think the best defence is to only keep a relatively small amount in the accounts linked to any card or device.
And it’s for this reason I don’t like the idea of linking a credit card, as they usually have thousands of euro available to spend, with nothing firewalled off in a vault or instant deposit.
 
Oddly enough, that's exactly why I only link credit cards: while there's a whole credit limit of scope for someone to abuse, the risk of fraud is insured, and the credit card provider (Visa or Mastercard) ultimately covers this with a policy. The issuing bank might put up a fight or make it awkward, but at the end of the day, of you really want to, you can formally request a charge back (up to 180 days later).

Certainly anytime I've encountered either fraud or just a less obvious case of misrepresentation (e.g a holiday accommodation provider declined to return a damage deposit, or indeed, make any communication after the stay) the bank has been very good about refunding first, and then presumably either investigating or letting the merchant complain.
 
That's interesting all right. I hadn't thought of it that way.
My understanding (which could be off) is that there's no difference in terms of fraud protection or chargeback between debit and credit cards (unlike in the UK). With that said though, I would rather not have the money gone from my account while the dispute protest is underway...
 
kickstart said:
Oddly enough, that's exactly why I only link credit cards: while there's a whole credit limit of scope for someone to abuse, the risk of fraud is insured, and the credit card provider (Visa or Mastercard) ultimately covers this with a policy. The issuing bank might put up a fight or make it awkward, but at the end of the day, of you really want to, you can formally request a charge back (up to 180 days later).
Click to expand...
This is a good point and I hadn't thought of that, but I'm not sure it's something we can expect to rely on "going forward" with the increase in phone payment fraud. Although I think it is more difficult to get into the Bank of Ireland app than the likes of Revolut. Nevertheless I might consider relaxing my not adding my credit card to Google pay in the future.
 
Dr Strangelove said:
I removed and added my Revolut card on Apple Pay again just to see how it worked.

I needed card number, expiry date, and CVC. I had to enter a one-time code via SMS and authenticate as well within the Revolut app. Then I got a notification from Revolut that the card had been added on Apple Pay.
Click to expand...
Wow that's world of difference with my Google pay experience earlier today.
 
Dr Strangelove said:
I removed and added my Revolut card on Apple Pay again just to see how it worked.

I needed card number, expiry date, and CVC. I had to enter a one-time code via SMS and authenticate as well within the Revolut app. Then I got a notification from Revolut that the card had been added on Apple Pay.
Click to expand...
Did you re-add using the Revolut app or Apple pay? I re-added using the Revolut app, not sure if you can do using Google pay itself.
 
I added the card to my Apple Wallet which then allows it to be used for Apple Pay.

Revolut sent me a one-time code via SMS and I needed an in-app verification as well. To access Revolut on device you need passcode or FaceID.

The security was all at the Revolut end - seems like you can add any card to an Apple Wallet once you have the active assistance of the cardholder.
 
ok, so it turns out I do have an old phone I could test this with. The phone has no sim card in it so no number linked to it as such but is still logged in to my google account that is on my main phone. I will refer to the old phone that I am trying to add my card to as Phone 1. This is the "scammers" phone. My main phone I will refer to as Phone 2.

When I added the card to the Phone 1 it gives me the option of sending an SMS message or authenticating in the app. I got a pop up on Phone 2 saying 'Card authorisation for Google Wallet' on Phone 1. Clicking on it brings you to the Revolut app but it doesn't let you authorise anything.

I select the app authentication. On Phone 1 it pops up a link to the app store to download Revolut. I get nothing showing up on Phone 2.

If I select text a code, I get a text message sent to Phone 2 and I can't progress on Phone 1 until I put in the code. At least as far as I can see. The message on Phone 2 does not contain the code. It instead says 'Please open the Revolut app to verify and finish adding your card to Google Pay. If this wasn't you, please contact us immediately'. I also get a Revolut notification as well. I can't remember what it said exactly. Anyway when I click the Revolut notification is shows me a screen. This screen shows the 6 digit code. It even says 'Never share this code' with a little warning symbol beside it. It also says 'Revolut will never ask you to share this code on a phone call. Sharing this code will add your card to a Google Wallet and the card will be available to use for spendin'.

So the only way the hacker with Phone 1 could add my card to that phone's Google Pay would be if I give them the code that is in my Revolut app on my phone (Phone 2) with all the warnings on the screen about exactly what will happen or they have gotten my Revolut log in details and have logged into Revolut on their phone (Phone 1). If it is the latter then adding my card to their Google Wallet doesn't matter any way as they can do what they want with my money.

It looks to me that these people who have had their card added to a Google Wallet and got scammed as a result must have given out at least this 6 digit code but also possibly their card details including CVV.
 
You must log in or register to reply here.
Back
Top