In February, Cherian Abraham, a Richmond-based payments consultant for banks and retailers posted an article regarding Apple Pay fraud, saying that it “graduated from an itch to a raging infection” due to security flaws. Abraham also adds that it is “growing like a weed, and the bank is unable to tell friend from foe.”
In fact, fraud rates rose from 0.1% of overall debit/credit swipe transactions to up to 6% in recent Apple Pay transactions, dependent on bank and area. They say that criminals in the US are buying expensive goods via the new Apple Pay mobile payment system using stolen IDs and credit card information. Criminals target Apple Stores in particular because they offer high-value items which can be sold on for cash.
Despite all this, it’s necessary to say that Apple has done a great job protecting its payment system. It uses a fingerprint reader to assure that the purchase is made by the phone’s owner. Moreover, merchants cannot see customers’ credit card information thanks to a one-time code that the system issues.
Still, Abraham found the weakness at an earlier stage, when customers are adding a credit card to Apple Pay. At this stage, Apple sends the information about the type of phone, the user’s phone number and general location to the issuing bank. A card can be added to Apple Pay when its issuing bank beams over an encrypted version of the card details to store on the phone. This should be done when the real owner is using it.
Apple’s support page says: “When you add a credit or debit card to Apple Pay… Apple sends the encrypted data, along with other information about your iTunes account activity and device (such as the name of your device, its current location, or if you have a long history of transactions within iTunes) to your bank. Using this information, your bank will determine whether to approve adding your card to Apple Pay.”
If the information doesn’t match, the issuing bank may ask a user to answer additional security questions. According to Abraham, it is too easy to be approved this way. For example, some banks ask for the last four digits of a customer’s Social Security number, which is easy to answer if the fraudster knows that person’s credit history or personal information. In addition to that, Abraham says that other mobile-payment services might be exposed to the same fraud problem.
Again, Abraham is convinced that the fraudulent Apple Pay purchases are being coordinated by sophisticated organized crime gangs capable of scaling the fraud very quickly. Nevertheless, it’s obvious that if the card provisioning process is too difficult, it won’t draw potential Apple Pay users’ attention.