Apple Pay: A new frontier for scammers

Written by

The Guardian:

Criminals in the US are using the new Apple Pay mobile payment system to buy high-value goods – often from Apple Stores – with stolen identities and credit card details.

Banks have been caught by surprise by the level of fraud, and the Guardian understands that some are scrambling to ensure that better verification and checking systems are put in place to prevent the problem running out of control, with around two million Americans already using the system.

The crooks have not broken the secure encryption around Apple Pay’s fingerprint-activated wireless payment mechanism. Instead, they are setting up new iPhones with stolen personal information, and then calling banks to “provision” the victim’s card on the phone to use it to buy goods.

Bottom line, this is not a flaw in Apple Pay, this is a flaw in bank card verification. I suspect the banking industry will react quickly to this.

Apple’s reaction:

“Apple Pay is designed to be extremely secure and protect a user’s personal information,” the spokesman said. “During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.”

Why this won’t be a problem as Apple Pay moves beyond US shores:

Dave Birch, a UK-based mobile payments expert, told the Guardian: “in the UK there probably won’t be a ‘green path’” – meaning that people would have to call their bank to add any card to Apple Pay once it is introduced here.

The US lags behind much of the world in its adoption of secure retail payment systems and mobile payments. “Chip and Pin” systems, used throughout Europe for years, will only become compulsory in the US later this year. As retailers replace old magnetic stripe systems, which were vulnerable to widespread fraud, with new ones, they are also adding NFC capabilities, already used in the UK for Oyster cards and in many shops.

Just in time for the rollout of Samsung’s mag-strip dependent LoopPay. Hope they didn’t pay too much for that.