Apple and its banker pals may have inadvertently lowered the barrier to credit card fraud by adding pay-by-wave technology to iPhones, security experts fear.
Payment cards can be added to Apple Pay by taking a photo of the card, and allowing a device to run optical character recognition over the image to fill out the long card number, expiry dates and other details. These numbers can be entered manually, so physical access to a card is not needed.
After a credit or debit card is added to an iPhone's Apple Pay, the details are encrypted and sent to banks along with records on the user's iTunes account activity, transaction history and physical whereabouts, as explained in its Apple Pay support page here.
These records are used by banks to decided whether to approve adding a card to Apple Pay or to request further checks over a followup phone call. The aim is to weed out people adding stolen cards to Apple Pay.
The issue is that some US banks have made this verification easier than it ought to be by only asking callers to prove their identity using the last four digits of their social security number.
Social security numbers are not particularly hard for hackers to obtain, and evidence is emerging that the whole setup makes it easier for crims to rack up fraudulent bills on Apple Pay than by traditional plastic theft.
Imagine a hacker with his or her hands on a database dump of credit card and social security numbers. Adding these to Apple Pay to spend on stuff is too easy, we're told.
Journalist Charles Arthur reports that total losses are already running into millions of dollars, and are far higher than expected as about two million Americans using the payment system.
"The crooks have not broken the secure encryption around Apple Pay’s fingerprint-activated wireless payment mechanism. Instead, they are setting up new iPhones with stolen personal information, and then calling banks to 'provision' the victim’s card on the phone to use it to buy goods," Arthur wrote in the pages of The Guardian.
It is lax customer verification controls by banks rather than any inherent security weaknesses with Apply Pay that is creating a boon for ID fraudsters, Apple Insider notes.
Cherian Abraham, a mobile payments specialist, warns that fraud enabled by Apple Pay is "rampant" with Apple Stores among the most frequent scam targets. Criminal gangs are handing smartphones to low-ranking members who use them to commit fraud, so it could be that crooks are buying high-end iPhones with embedded payment features in order to further the fraud.
"Tokenization, on-device secure storage and biometrics separately and together are formidable, but the soft underbelly proved to be provisioning of cards into AP [Apple Pay]," Abraham writes on the Drop Labs blog.
Payments expert Avivah Litan of analyst house Gartner independently warned that Apple Pay fraud is "running rampant."
"The bad guys are loading iPhones with stolen card-not-present card information (which is much easier to steal than card present magstripe data) and essentially turning that data into a physical card à la ApplePay," Litan writes.
"The banker speaking about this topic at the conference insightfully pointed out that this scheme was enabling the fraudsters to bridge the CNP (card not present) world with the CP (card present) world. Now they don’t have to even bother with their elaborate infiltrations of large retail chains like Target and Home Depot. They can just steal or buy cheaper CNP card data used for ecommerce transactions and load that data onto a smartphone, thereby transforming the CNP data into a counterfeit physical card used to commit more lucrative CP fraud."
Litan warns that Samsung/LoopPay and MCX/CurrentC (supported by Walmart, BestBuy and other major US retailers) are likely to face exactly the same problems in rolling out contactless payment system as Apple Pay unless banks tighten up their controls. ®