Apple Pay actually makes it really easy to commit credit card fraud

By

Loading a stolen credit card on Apple Pay is too easy. Photo: Buster Hein/Cult of Mac
Loading a stolen credit card on Apple Pay is too easy. Photo: Buster Hein/Cult of Mac

When Tim Cook unveiled Apple Pay last year, the company hailed it as a simple contactless payment solution that also brings extra security to credit cards. Except according to one report, Apple Pay is actually making it easier for scammers to commit credit fraud.

Apple Pay’s security problem has nothing to do with Touch ID, NFC, Apple’s secure element, or stolen iPhones. All of that is locked down as tightly as Apple advertised. The problem, according to an unconfirmed report from DropLabs, is that Apple Pay is so easy to use, fraudsters don’t even have to create a physical fake card anymore.

According to Drop Labs’ report, scammers have gone with a much more low-tech way to take advantage of Apple Pay. Instead of hacking the hardware, fraudsters are just buying stolen consumer identities, complete with credit card info, and loading that into Apple Pay. This allows them to create a fake digital credit card without going through the hassle of printing it out on plastic to use in stores.

Stolen credit card data has been around long before Apple Pay, so there’s not much Apple can do about that. However, the problem is that banks aren’t taking all the necessary measures to ensure the actual credit card owner is the one using the credit card on Apple Pay.

Banks have the choice to authenticate Apple Pay cards with a two-factor code sent to the owner’s phone number. Apple also gives banks the option to have card holders phone into a call center to authenticate. The call-in authentication is much easier for fraudsters to pass, but most banks have gone with this option anyway.

Regular credit cards have an average fraud level of 1%, meaning $1 out of every $100 charged is fraudulent. But Drop Labs claims some Apple Pay banks have seen their fraud levels jumps up to 6%. Apple and its banking partners can easily fix this by dropping the call-in option altogether, and we expect fraud rates will drop soon. But this just proves even the strongest chain is only as good as its weakest link.

Via: Gizmodo

Deals of the Day


  • aaloo

    Wow. How can banks be so stupid.

  • RosynaKeller

    This doesn’t make any sense. Even if you call the bank to do the 2FA, you have to include a lot of personal information (like SS#, Address, Phone number) that is not part of the card. And then when the bank does approve it, the bank notifies you via SMS or via their mobile app (which requires login credentials or that your phone number be in their system) or via email (that you’ve previously set up).

    Basically, you need a substantial amount of additional information before an iPhone is approved for Apple Pay, which makes it a hell of a lot easier to just print out a fake card.

    • BusterH

      SSN, DOB, Address and more info is included when you buy a stolen card so it’s easy to get through verification.

      • RosynaKeller

        Then that would make this identity theft, not simple credit card fraud as the title would suggest. Also, It’d be up to the bank to verify the person’s identity, not Apple.

        And for my bank, Chase, they would NOT accept me calling into their call center to verify details, the option was for them to call me, based on the number they had. Same for other methods of getting an activation code, every method that was an option had them contacting me based on the contact information they already had (or I could log into their mobile app).

        In no way is this making credit card fraud easier. It’s still much, much easier to print out a fake CC.

      • ShitIconSays

        Or to buy online for that matter.

      • Hubris00

        RosynaKeller,

        So are you implying that if you changed your phone number for some reason and contacted CHASE, they would say, “I can’t speak with you because your phone number isn’t the same as what we have in our system?” Because I highly doubt that’s what they would do. In fact, I’m almost certain they would say, “Sir or M’mam, can you provide me your SSN, DOB and the credit card number on file.”

        Which one is more private, a cell phone number or SSN? Contact information is the most volatile information source that a person has.

      • RosynaKeller

        That’s kind of my point… but they call you via an automated call (if you choose that option) to verify the information for Apple Pay. If you’ve changed your number… then you might have to go to a bank branch or something before you can sign up for Apple Pay (the correct thing to do is for the bank to deny Apple Pay signups if you choose to be contacted in a way that has changed recently, because who loses access to their registered cell phone number, SMS, their email, and their bank login credentials all at the same time *and* wants to sign up for Apple Pay on an iPhone 6 that somehow doesn’t have access to any of those?)

        The point is, the responsibility is entirely on the bank to verify details. It’s not Apple and Apple Pay doesn’t make credit card fraud any easier whatsoever, despite what the title of this article states.

      • Hubris00

        I understand what your saying and I applaud Chase for implementing a good a process, if it works. Also, I agree with you, the banks have some responsibility, but so does Apple Pay, VISA and other card processors. The process by which companies implement new technology is a group effort and more intricate than what you may think.

  • Mike

    Calling bullsh!t on this one…
    – You’re informed by your bank once a new card has been added
    – What phone are you going to use? Because it better be stolen as well, as the phone’s details are now also linked to the card (so authorities could find out who owns the phone committing the fraud).
    – You’ll need to know the individual card holders personal information (ss#, pin, etc), when two-factor auth kicks in.

    • Jeo Ten

      Yep.

  • JK

    As someone that works in PCI compliance – I’m just going to say that this report is idiotic. Fraud is not made any easier by Apple Pay over existing methods of using stolen identities, and having just completed contract work with 3 very large banks on their Apple Pay implementations, I’m going to also say that the 6% number is completely, utterly, 100% bogus.

  • Greg_the_Rugger

    Is it Gizmodo the one banned from any and all Apple events? Humm.

    • BusterH

      think they got into the last two actually

      • Greg_the_Rugger

        Anyone using the phrase “broke-ass” should be banned.

  • Steve

    1a. bank txts the phone-on-record to confirm the credit card (like 2-factor authentication)
    — or —
    1b. when adding the card, an email address is included, and verified by the bank.
    2. problem solved.
    3. I’m in favor of getting a txt whenever my ApplePay CC is used; #earlyfrauddetection

  • Jeo Ten

    Change the title of this article now. You are incorrect to call this credit card fraud or to suggest Apple Pay makes it easier.

  • OhStopItYou!

    So if the fraudster decides to commit Identity theft, he/she has total access to your credit cards and can go on a spending spree?
    (If this did happen to physical cards, banks are much more sympathetic, wonder what their reactions will be when you say you didn’t buy all the products that they say you bought)

  • Mau Sandoval

    You guys are so full of shit it probably hurts your butt.

  • greensworld

    Why say that it is APPLE PAY that makes fraud easier when in fact it is the banks not doing what they should do to authenticate the cards – but I guess less people would read the article if it said that the banks did it ;)

  • Hubris00

    Yes, this article does have a few facts incorrect, but the premise of what is being stated is true. Apple Pay isn’t 100% secure and can be abused pretty easily. Fraudsters are registering cards to Apple Iphones using stolen identities, passing security verifications with financial institutions and making fraudulent transactions. This process is referred to as account takeovers or identity theft. However, this could hardly be blamed on financial institutions. I would imagine it’s very difficult to detect social engineering when the person has all of the customer information. If you think it’s hard to get a person’s information your sadly mistaken. This type of activity is occurring because Apple Pay doesn’t require verification from service providers, which makes some sense in regard to convenience, Overall, the PCI industry is going through a huge renovation and implementing a lot of new technology as more people cross over to cyber crime. There are going to be flaws within the system and updates.

    • RosynaKeller

      Apple Pay does require verification from banks… that’s the entire point. The bank has to OK the linkage and the bank has to generate the new fake CC number (PAN) and send it back to the iPhone.

      And there’s nothing saying this theoretical attack is actually being used, it’s all unconfirmed.

      • Hubris00

        I was actually referring to cell phone service providers when I said, “Apple Pay doesn’t require verification from service providers.” But as I implied I understand that it could be a inconvenience or near impossible. It’s just my opinion that another layer of security verification from this source could be helpful. Also, these kind of fraud strategies have been confirmed. However, I don’t know if the 6% increase is true.