The simplicity of Apple Pay is proving troublesome for some victims of identity fraud. The Guardian reports security from issuing banks—e.g. partners of Apple Pay—has proven lax, allowing thieves to easily add stolen credit cards to Apple’s service. The damage so far has apparently risen into the millions of dollars, and banks are scrambling to come up with a fix.
Apple Pay as a service hasn’t been compromised; the methods by which thieves are using the stolen credit cards is to blame—and you wouldn’t believe how simple it is. When a card is added to a user’s Passbook, banks are presented with two different paths: a “green path,” which banks will accept immediately, and a “yellow path,” which is a slightly more lengthy process.
When a card is either scanned or manually entered into Passbook, Apple provides banks with information about the device being used, the device’s location and data about the card’s iTunes transaction history. This allows banks to make a more informed decision before authorizing a credit card to be used with Apple’s service.
The Guardian reports, however, that some banks are making it too easy for thieves by making approvals based on easily-obtainable information. For example, if the yellow path is required, a bank might ask for the last four digits of your social security number before making a decision. The problem, however, is that thieves might already have access to that information. The information provided by Apple should allow banks to cross-check recent activity of a certain card, and then make a proper determination based off that. But it appears the security measures used by banks is proving too lax for clever thieves.
In order to fix the problem, issuing banks will need to find a more stringent authentication process, otherwise the problem could run rampant. As part an agreement banks signed with Apple, the banks will be held liable for any fraud that occurs through the Cupertino company’s platform.
Apple has gone to great lengths to ensure customers are protected when using its service. When a payment is made using Apple Pay, a unique Device Account Number is assigned, encrypted and securely stored in a dedicated chip found within the iPhone 6 or iPhone 6 Plus. Credit or debit card numbers are never shared or revealed, which means the service is even more secure than handing your card over to a merchant.
It seems, however, that the banks themselves didn’t go to such great lengths to ensure customers are protected from fraud, leading to a lot of major headaches. The Guardian says that banks are currently “scrambling” to come up with a fix.