Apple + Security & Privacy

How Apple Pay Can Make Credit Card Fraud Easier

Posted on March 2nd, 2015 by

Apple Pay

First things first—and let's make this very clear—Apple Pay has not been hacked.

It does, however, appear that Apple's introduction of the contactless payment system has helped some scammers commit credit card fraud.

If you have never used Apple Pay, here's a video made by The Verge last year showing how you set it up, and how you make mobile payments with it.

Seems simple, right?

And, unfortunately, the way that scammers can take advantage of Apple Pay appears to be remarkably simple too.

Did you see the part in the video where the guy adds a new card to Apple Pay? He chooses to do it the way most people will choose to do it—by taking a photo of a card and allowing it to scan in the credentials (such as the long card number, expiry date, etc.).

However, you can also choose to enter those details manually, which means you don't have to have physical access to a card to add it to Apple Pay.

Charles Arthur, writing for The Guardian, explains the issue further:

Apple’s support pages for the service says: “When you add a credit or debit card to Apple Pay... Apple sends the encrypted data, along with other information about your iTunes account activity and device (such as the name of your device, its current location, or if you have a long history of transactions within iTunes) to your bank. Using this information, your bank will determine whether to approve adding your card to Apple Pay.”
US banks are using a “green path” for cards they approve straight away on such data, and a “yellow path” for cards requiring more checks. But some banks have made the task too simple by asking callers to verify their identity with the last four digits of their social security number (SSN).

And therein lies the problem.

Apple PayIt appears that the authentication methods used by the bank to confirm whether a credit card should be added to Apple Pay is proving too easy for fraudsters to waltz around—whether it be via requesting digits from a social security number (which online criminals may also have been able to steal, as they are frequently grabbed by hackers) or having the iPhone owner ring a call center to authenticate themselves.

Mobile payments specialist, Cherian Abraham, writes that fraud enabled by Apple Pay is "rampant."

Ironically, according to Abraham, Apple Stores are frequently targeted:

These are organized crime rings that are handing out pre-provisioned devices to mules that are then being used to commit fraud – with much of fraud (for some issuers) – occurring around Miami,FL and Dallas,TX. Prepaid cards unsurprisingly are a tool of choice as they can be quickly converted to cash or goods – and subsequently, untraceable. What was surprising to hear was how many times Apple stores themselves popped up as the store of choice for the fraudster – and yet unsurprising, due to its nature as a luxury retailer. There is a certain irony in one compromised Apple Pay device paying for another – only to be drafted subsequently in to the fraudsters service.

The answer, therefore, seems not to be to beef up the security of Apple Pay—but for Apple and the banks to ensure that stronger methods are used to authenticate a card holder really *is* who they say they are, when they try to add a card to Apple Pay.

Until that happens, chances are that fraudsters will continue to find ways to make purchases using your credit card, with a little help from a (no doubt stolen) iPhone.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • BlueTroll

    So, if I don’t have an iPhone and therefore no Apple Pay, but someone has my credit card info, according to what you wrote, they could enter my data into an iPhone and use it to purchase goods with it. That is very concerning.

    • dijo

      I totally agree with you

    • Merchant Accounts

      Yes, this happens all the time. Credit card users must be very careful in using their card because thieves are everywhere.

  • Hitoshi Anatomi

    Apple is also expected do something about the vulnerability that their Touch ID brings: Biometrics operated with a password in the
    OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

    We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market which require a backup/fallback password.