Apple Pay might be taking over the world of mobile payments, but as with any new technology there are scammers looking to misuse the service. In the United States, criminals are reportedly using Apple Pay to buy expensive goods, often from Apple Stores, using stolen names and identities.
“I was surprised by the irony, but not by the fact that Apple as a merchant is seeing Apple Pay fraud,” Drop Labs commerce and fraud expert Cherian Abraham tells Cult of Mac. “As a luxury retailer it’s not a surprise that they are a retailer of choice to commit fraud.”
Abraham says banks are scrambling to solve the problem, which is already running into tens of millions in losses for financial institutions. Asked how widespread Apple Pay fraud is, he describes it as “rampant.”
Technically a credit or debit card may only be added to Apple Pay when an issuing bank sends over an encrypted version of the card details to store on the phone. However, this does not always happen. As the U.K.’s Guardian newspaper explains, “[Crooks] are setting up new iPhones with stolen personal information, and then calling banks to ‘provision’ the victim’s card on the phone to use it to buy goods.”
In some cases, thieves will even call bank call centers to alert them that they are going for “a trip out of town” so that situations like a customer living in one place but having transactions take place in another don’t trigger alerts.
The fault, Abraham says, is predominantly with banks, which are not being diligent enough when it comes to provisioning cards, thereby allowing identity theft to take place. “From issuer discussions I have had, Apple Pay fraud is a real and fast-scaling problem,” he says.
“Fraudsters move quickly,” Abraham continues. “They find something they can exploit, they scale quick and then move on. I believe these are sophisticated groups that are handing out pre-provisioned Apple Pay devices to ‘mules’ who walk in to stores and commit fraud on camera.”
But Abraham says Apple isn’t entirely blameless either. “Apple’s responsibility lies in securing the provisioning process end-to-end, so that it can convince the customer adequately that their credentials will not be stolen or used without permission, and the issuer who chose to partner,” he says. “I still believe that Apple was slow in recognizing the importance of the Yellow Path (i.e. when cards require more checks to be employed) and why a haphazard approach to build one will lead to untold losses in fraud.”
Working out the scale of Apple Pay fraud is tricky, since card issuers don’t typically break out fraud losses publicly. Cult of Mac reached out to a pair of large credit card companies, but received no response. Since Apple Pay is used by fewer customers than credit cards are, it is tough to do straightforward comparisons.
“There are no silver bullets here,” says Drop Labs’ Abraham, although he believes a more “layered approach” to security will help cut down on fraud — based on a better verification system for card provisioning.
Ultimately, identity theft is far from a problem that arrived with Apple Pay. If there are ways to make the mobile payment system more secure, however, it would be in the interests of everyone to take advantage of them.
Luke Dormehl is a U.K.-based journalist and author, with a background working in documentary film for Channel 4 and the BBC. He is the author of The Apple Revolution and The Formula: How Algorithms Solve All Our Problems … and Create More, both published by Penguin/Random House. His tech writing has also appeared in Wired, Fast Company, Techmeme and other publications.
17 responses to “Apple Pay fraud already ‘rampant,’ expert claims”
This isn’t an Apple Pay problem – it’s an ID theft problem, which will happen with or without Apple Pay. However I do agree that the banks should be more restrictive with how the provisioning works. Seems to me like requiring the full card details (cc number, exp, CID, etc.) along with sending a text to the primary account holder’s phone to verify would clear most of this up. Of course you’ll never totally eliminate it, because like I said, it’s an ID theft problem.
Yeah, but the article will draw more clicks if Apple Pay is used in the heading. ID theft… happens all the time boring. Apple Pay fraud… Apple foul-up exciting.
People always want to read about how Apple messed up in some way even if it’s merely a false rumor.
More like clickbait.
ID theft on digital systems can only happen if security is weak…
Cherian Abraham – Moron of the first order, taking through his butthole as usual. I would discount 100% of everything this douche has to say.
I guess the thief must be stupid enough to use Apple Pay which is traceable through his iCloud account and iPhone or iPad.
It isn’t about Apple or iCloud. It’s about banks not checking where they send credit cards to. Chances are many of these victims may not even be Apple customers, just suckers whose ID has been stolen. So the crooks create their own iCloud account with the victim’s name and so forth, get a bank issue credit card associated with that account, and spend like crazy until the card is busted. At no time does the actual person have to be a current or former Apple customer.
If banks aren’t reporting the fraud publicly then where is the information being sourced from that can cite a word such as “rampant” to quantify the amount of fraud taking place?
I’m not denying it’s happening but the hyperbole should be kept to a minimum until actual data is provided. Rampant would suggest ALL banks and ALL credit cards have fallen victim to this scam. If it’s just one or two banks that aren’t taking the proper precautions then this is far from just the fault of Apple Pay. At the end of the day it’s the responsibility of the bank to prevent fraud from taking place because the buck, in every literal sense of the word, stops with them.
Cherian Abraham is on the board of SimplyTapp. This “rampant” fraud report is nothing more than a corporate hit piece. Ignore.
Makes you wonder if the author was paid for this piece?
This news was fabricated by the Guardian. They were the ones who also fabricated that Apple didn’t care about workers safety in China.
Sure there is fraud that happens with all credit cards. But I think its unfair to single out Apple as main culprit here.
To me, the article is nothing more than click-baiting. I guess those at the Guardian have nothing better to do then try to use Apple’s name in vain to garnish enough hits on their website. They don’t care if the story is real or not which makes for shobby journalism.
It is garbage. Cherian Abraham is involved with a NFC payment company called SimplyTapp.
I’m sorry, but I’m calling BS on this. You can’t call up a bank and pretend to be someone without passing security questions first. Also, how is it Apples responsibility if someone steals a credit card in transit to the card owner? Clickbait alert!!!
Luke, I think you need to add a disclaimer on this clickbait. Cherian Abraham works for and is connected to SimplyTapp, an Android NFC payments company. Were you paid to write this?
Other than this guy’s say-so, is there any actual evidence of the problem he says exists? He gives none.
What’s so different from a thief taking a regular photo of your credit card and misusing it the usual way? Way to be sensationalist and point the finger at Apple for this.
There is a better solution, it’s called bitcoin.