by Al Sacco

Fraudsters Use Apple Pay to Exploit Stolen Payment Card Data

News Analysis
Mar 05, 20153 mins
Consumer ElectronicsFraudiOS

The on-device security safeguards built into Apple Pay appear to be unbroken, but fraudsters reportedly came up with another way to exploit the mobile payments system, and experts say the problem is 'rampant.'

Man, those Big Bad Fraudsters sure are wily.

Despite Apple’s gallant efforts to ensure that your payment information remains secure when you employ Apple Pay to purchase all of your hearts’ desires with your iPhone, criminals apparently found another crafty way to exploit the new-ish mobile payments system.

iPhone-toting villains are apparently adding stolen payment card information to their phones so that it can be used in stores to make purchases. Ironically enough, many of those fraudulent Apple Pay purchases were reportedly made in Apple’s own stores. Ouch. 

[Related: 4 Security Tips for Apple Pay Users]

The news here is not the method; these exploits were brought to light months ago. Rather, it’s the scale at which this type of fraud appears to be ramping up. Gartner vice president and “distinguished analyst” Avivah Litan says Apple Pay fraud is “rampant.”

From a Gartner blog post by Litan

“Turns out the bad guys are loading iPhones with stolen card-not-present card information (which is much easier to steal than card present magstripe data) and essentially turning that data into a physical card a la Apple Pay.” 

apple pay credit cards primary 100413350 orig

In other words, a criminal steals or buys a pile of purloined credit card information. Instead of using it online or going through the process of creating a dummy card, he simply adds card data to an iPhone 6, walks into a retail store, loads a shopping cart with pricey techno-junk, smiles at the cashier, then touches his phone against an NFC PoS terminal and authenticates the transaction with a tap of his grimy finger on the Touch ID reader.

Instead of stealing payment data from Apple Pay users, these guys get the sensitive information from another source and then use Apple Pay to turn it into goods. Back in October, I spoke to a handful of payments experts about Apple Pay, following its initial release, and I don’t think any of them saw this one coming.

Cherian Abraham, founder of DROP Labs, a financial consultancy focused on banking and retail, has covered the festering issue for months, and he says Apple Pay fraud recently “graduated from an itch to a raging infection.”

Abraham also notes, however, that Apple is not entirely to blame, and that its implementation of Apple Pay, at least on the iPhone, remains mostly secure.

“Tokenization, on-device secure storage and biometrics separately and together are formidable, but the soft underbelly proved to be provisioning of cards in to AP [Apple Pay],” Abraham wrote.

visa mastercard excited by apple pay

It’s the authentication process for when you add credit cards to Apple Pay that’s the problem, according to Abraham. However, while card issuers need to strengthen the system, Apple plays a part because it didn’t demand a stricter card-user authentication process when it launched Apple Pay. And Abraham says it should have known better. I won’t get into details of that authentication process (check out Abraham’s insightful blog posts on the subject if you want more specifics), but it’s safe to say that Apple Pay has proven to be a valuable tool for fraudsters.

Apple is expected to release its Apple Watch, which will also support Apple Pay, in the near future. If the company and its payment card partners don’t resolve this issue promptly, the Apple Watch, which should cost less than a new iPhone 6, could quickly become the gadget of choice for credit card thieves.

Samsung also announced its own phone-based payments service, Samsung Pay, last week, so let’s hope that company learns from the mistakes of Apple and its credit card partners and shores up these potential holes before the Samsung Pay launch this summer.