Photo (cc) by Jason A. Howie
Although scammers have used Apple Pay for fraudulent activities, the actual Apple Pay platform and its encryption haven’t been breached.
It appears that hackers have used Apple’s mobile payment system to make purchases with stolen credit card data, some of which came from data breaches at Target and Home Depot. The Wall Street Journal explains:
The Apple Pay system itself hasn’t been penetrated by hackers. Rather, fraudsters are entering stolen card data into phones, which can then be used to make purchases without a physical card being present.
So the fraud is more a result of identity theft than a typical cyber hack. Still, it reveals that Apple Pay may have some issues to iron out. For instance, the apparent weak link in this fraudulent activity is the bank verification process. CNBC said:
“Both sides play a role because Apple could have done more,” said Samuel Bucholtz, co-founder of Casaba Security. “But where the fraud is really coming from is the bank’s verification of those cards. It’s not a compromise of any Apple security system that Apple has put in place.”
Apple’s support page explains that after a credit or debit card is input into Apple Pay, it’s encrypted and sent to the user’s bank, along with information about iTunes account activity, the device it’s on and its current location. Then the bank must decide whether it approves adding the card to Apple Pay.
The bank may request additional information to prove the card belongs to the user, but often the information that is asked for is easy for criminals to obtain online. Also, bankers may not require any additional information because they want the process to be as painless as possible, experts said.
Bucholtz has suggested that the bank issue a new PIN to register a new card. “This could be a PIN the bank mails to the user or one they have to log into their bank account to access for a one-time registration,” CNBC said.
“Our member banks are reacting as quickly as possible to ensure their verification processes are adequate to thwart this new kind of fraud,” David Pommerehn, vice president and senior counsel at the Consumer Bankers Association, which represents lenders that issue credit and debit cards, told the WSJ.
Do you use Apple Pay? Does this fraudulent activity make you nervous? Share your comments below or on our Facebook page.