Using portable equipment in a laboratory setting, Wandera’s security researchers have identified a social engineering method in which hackers can inject a fake captive portal page which pops up and imitates the Apple Pay enrolment process, prompting the user to enter their credit card details. These details, including the security code, can then be easily harvested and used for fraudulent purposes.
There are several precautions that can be taken to protect users from such attacks: applications that accept credit card details, such as popular taxi services or digital wallets, should investigate methods to positively identify themselves to users when requesting sensitive information. Smartphone operating systems should consider adopting a secure warning when displaying captive portal pages to users, so that users exercise caution.
Also, when adding credit card details to an app, users are advised to always go via the app from scratch and to use the camera to capture card details where that capability is available.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now