Bad news for Apple Pay. Apparently Apple’s already successful mobile payment service, which launched shortly after the iPhone 6 and iPhone 6 Plus hit the market, is a perfect tool for thieves with stolen credit card data looking to spend your money. A report from The Guardian reported on the problem earlier this month, and a security expert is now also sounding off.
Brian Krebs from KrebsonSecurity published a report recently that details how hackers can buy card verification codes (CVVs for short) on the black market and use those with Apple Pay. The CVVs, Krebs explained, typically cost as little as $1 per stolen credit card and, in the past, have limited thieves to making purchases online. Since Apple Pay doesn’t require you to show proof of a credit card, however, the CVVs can be used with Apple’s mobile payment system and a hacked iTunes account, which often sell for about $8 a pop, to make purchases in physical stores using Apple Pay.
Here’s how Krebs explains it:
Enter Apple Pay, which potentially erases that limitation of CVVs because it allows users to sign up online for an in-store payment method using little more than a hacked iTunes account and CVVs. That’s because most banks that are enabling Apple Pay for their customers do little, if anything, to require that customers prove they have the physical card in their possession.
Krebs said that Apple Pay “makes card fraud cheaper and easier for fraudsters,” even though Apple and its partners have suggested it’s an even more secure option since you’re never exposing your credit card data at checkout. While that may be true, Krebs says that the workarounds for using Apple Pay with already stolen data is the real problem.
It seems that banks and retailers should be asking for proof of identification at check-out. For better or worse, that adds an extra step to Apple Pay, but maybe Apple and its partners can make that easier, and safer, for all.