Apple + Security & Privacy

How Apple Pay Can Make Credit Card Fraud Easier

Posted on by

Apple Pay

First things first—and let’s make this very clear—Apple Pay has not been hacked.

It does, however, appear that Apple’s introduction of the contactless payment system has helped some scammers commit credit card fraud.

If you have never used Apple Pay, here’s a video made by The Verge last year showing how you set it up, and how you make mobile payments with it.

Seems simple, right?

And, unfortunately, the way that scammers can take advantage of Apple Pay appears to be remarkably simple too.

Did you see the part in the video where the guy adds a new card to Apple Pay? He chooses to do it the way most people will choose to do it—by taking a photo of a card and allowing it to scan in the credentials (such as the long card number, expiry date, etc.).

However, you can also choose to enter those details manually, which means you don’t have to have physical access to a card to add it to Apple Pay.

Charles Arthur, writing for The Guardian, explains the issue further:

Apple’s support pages for the service says: “When you add a credit or debit card to Apple Pay… Apple sends the encrypted data, along with other information about your iTunes account activity and device (such as the name of your device, its current location, or if you have a long history of transactions within iTunes) to your bank. Using this information, your bank will determine whether to approve adding your card to Apple Pay.”
US banks are using a “green path” for cards they approve straight away on such data, and a “yellow path” for cards requiring more checks. But some banks have made the task too simple by asking callers to verify their identity with the last four digits of their social security number (SSN).

And therein lies the problem.

Apple PayIt appears that the authentication methods used by the bank to confirm whether a credit card should be added to Apple Pay is proving too easy for fraudsters to waltz around—whether it be via requesting digits from a social security number (which online criminals may also have been able to steal, as they are frequently grabbed by hackers) or having the iPhone owner ring a call center to authenticate themselves.

Mobile payments specialist, Cherian Abraham, writes that fraud enabled by Apple Pay is “rampant.”

Ironically, according to Abraham, Apple Stores are frequently targeted:

These are organized crime rings that are handing out pre-provisioned devices to mules that are then being used to commit fraud – with much of fraud (for some issuers) – occurring around Miami,FL and Dallas,TX. Prepaid cards unsurprisingly are a tool of choice as they can be quickly converted to cash or goods – and subsequently, untraceable. What was surprising to hear was how many times Apple stores themselves popped up as the store of choice for the fraudster – and yet unsurprising, due to its nature as a luxury retailer. There is a certain irony in one compromised Apple Pay device paying for another – only to be drafted subsequently in to the fraudsters service.

The answer, therefore, seems not to be to beef up the security of Apple Pay—but for Apple and the banks to ensure that stronger methods are used to authenticate a card holder really *is* who they say they are, when they try to add a card to Apple Pay.

Until that happens, chances are that fraudsters will continue to find ways to make purchases using your credit card, with a little help from a (no doubt stolen) iPhone.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →