Last week, I wrote about a trend in credit card fraud, as part of which the bad guys apparently use iPhones, the iOS Passbook mobile wallet and Apple Pay to turn purloined credit card numbers into goods at brick-and-mortar retailers, including Apple stores.
Some payments experts say Apple Pay fraud is "rampant."
In that article, I suggested that the Apple Watch, when it's released in April, could take this troubling trend a bit further, because it also supports Apple Pay and offers a cheaper option than buying a new iPhone, at least without a carrier subsidy. Before I get into the potential Apple Watch fraud, here's how Apple Pay on the Watch works.
Apple Pay on Apple Watch
To add payment cards to Apple Watch, you simply open up the companion iOS app, which is now available in iOS 8.2, and use the Passbook & Apple Pay option to enter credit card data. After you save the information, and Apple runs a quick check for potential red flags, you're good to go. (It's unclear whether or not the Watch will automatically import payment information iPhone 6 users already store in Passbook.)
Next, you head on over to a local retailer with NFC-compatible POS terminals, pick up some goodies, head to the cashier, double-tap the bottom button on the side of the Watch and then hold it close to the payment terminal. The Watch pings and vibrates to let you know that the transaction was successful.
For security purposes, you have to authenticate yourself via a passcode anytime you remove and replace the Watch and then try to access Apple Pay. So while Touch ID authenticates Apple Pay purchases when you use an iPhone 6, a passcode protects your card information when you pay via Apple Watch. After you type in your code once, you don't have to retype it to make additional payments — as long as you don't remove the device, causing it to break contact with your skin. (It's unclear how this will work for people like me, who loosely wear their watches or bracelets, so they're never in contact with skin for long.)
Apple Watch and Apple Pay fraud
Shortly after Apple's latest gizmo fiasco in San Francisco, during which it showed off the Apple Watch but offered little new information aside from price ranges for the three different models (pricey, very expensive and holy $#!&) and release information (preorders start April 10 for a planned April 24 ship date), I started researching Apple Pay on the Apple Watch to see what kind of role the timepiece could play in mobile payments fraud. (Hit this link to see Apple's Vice President of Technology, Kevin Lynch, spend less than a minute of the company's 90-plus-minute presentation on Apple Pay via Apple Watch.)
First of all, Apple isn't talking about security specifics. Very few details are available on the company's website, besides a casual statement about the "unique security features built into Apple Watch." I reached out to Apple twice during the past week, but I'm still waiting on responses to my questions. I'll update this post with relevant information if I get any.
Second, you need an iPhone to do just about anything on the Apple Watch. It is, after all, a companion device, and without an iPhone buddy it does little more than track your steps and, you know, tell time. So, you can't use the Apple Watch to pay for goods with Apple Pay without an iPhone, though some reports suggest you don't necessarily need to have your iPhone with you to use Apple Pay on the Watch. The need for iPhone to setup Apple Pay kind of changes my initial take on the Watch's potential to increase related fraud, but I still think it could play a significant role. Here's why.
Apple Watch and cheap iPhone cost less than iPhone 6
The villains I mentioned who exploit Apple Pay to make fraudulent purchases don't steal iPhones to use owners' payment information. Rather, they buy or steal card data from another source and then add it to their own iPhones and use Apple Pay to turn that data into something physical that can be used in stores. (Again, check out my recent post for specifics on how this works.)
Today, you need an iPhone 6 or iPhone 6 Plus to perpetrate such a crime, because they're the only Apple devices that support in-store Apple Pay. Both of these devices are relatively expensive, especially if you’re buying one off contract and without a subsidy. (I assume few thieves will commit to multi-year service contracts.) More specifically, an unlocked 16GB iPhone 6 costs $649, while an unlocked 16GB iPhone 6 Plus goes for $749 in Apple's online store.
However, the Apple Watch works with earlier iPhones, including the 5 and 5s. Starting on April 10, bad guys will be able to purchase the cheapest version of Apple Watch for $349 and then jump on eBay (or some similar site) and snag a used iPhone 5 or 5s for as little as 99 cents. When their Watches arrive during the week of April 24, they'll have everything they need to exploit Apple Pay, at a cost that's significantly less than an iPhone 6 or 6 Plus. And, according to Apple, it's even more convenient to pay with Apple Pay using the Apple Watch.
I know that Apple and its card-issuer partners are working to shore up gaps in the Apple Pay user-authentication process, but until they do the bad guys will keep hopping through those holes. While the security safeguards built into Apple Pay and the Apple Watch may prove to be rock solid — they haven't been cracked on the iPhone 6, as far as I know — Apple's first smartwatch could still prove to be a valuable tool for thieves who want to use stolen payment information in stores because it doesn't require a new, expensive iPhone to use Apple Pay.