Apple Pay has emerged in a short period of time as the fastest-growing mobile payments platform, but the tech giant and card-issuing banks now have to deal with a potential security issue that reportedly facilitates credit card fraud.
Reports over the last week point to a weakness in the Apple Pay process of loading credit card data onto iPhones that can be exploited by thieves who have already obtained the payment card information elsewhere.
One security expert estimates the fraud rate at a remarkable $6 per $100 of transactions. Fraud “is growing like a weed, and the bank is unable to tell friend from foe,” says the expert, Cherian Abraham of Drop Labs, a mobile commerce consultant.
Apple Pay itself hasn’t been penetrated by hackers. Instead, card data thieves “are entering stolen card data into phones, which can then be used to make purchases without a physical card being present,” reports the Wall Street Journal.
Banks Tightening Verification Steps
Some banks are recording a growing number of fraud cases on Apple’s mobile-payment service as thieves take advantage of vulnerabilities in the verification process of adding a credit card. These banks are tightening the verification process in an attempt to curb the fraud, the Journal reports.
The fraud issue was made public by Abraham, a payment expert who works with banks and retailers on mobile-payment strategies, in a blog post in late February. He said fraud “is growing like a weed, and the bank is unable to tell friend from foe.”
Stolen credit card numbers are not unique to the Apple Pay system. E-commerce transactions via other digital wallet platforms can be utilized by fraudsters already equipped with stolen card data purchased in the black
However, Apple Pay’s big selling point is how easy the checkout process – an advantage to both legitimate customers and resourceful cyber thieves.
Security Flaw Traced to ‘Provisioning’ Process
The security vulnerability happens at an early step of the Apple Pay system. That’s when users add their credit card numbers to Apple Pay accounts through their banks. Fraudsters are simply adding stolen credit card numbers to Apple Pay accounts. They then go on shopping sprees using iPhones with the stolen numbers.
According to Apple’s rules, it’s up to credit card-issuing banks to verify the legitimacy of credit cards entered into the system, a process called “provisioning.”
Banks usually require extra steps to validate users’ identities when they’re presented with suspect cards for Apple Pay provisioning. But these extra steps seem to be ineffective.
For example, writes the L.A. Times: “A user might be required to call an account rep and provide such personal information as a Social Security number or street address; but hackers with stolen credit cards often have enough other personal data about their real owners to answer the questions.”
Moreover, banks are trying to make the validation process simpler to avoid frustrating legitimate customers.