Fraud comes to Apple Pay as criminals exploit weakness in verification process

5 Mar 2015

While Apple’s new mobile wallet technology Apple Pay is secure, criminals are understood to be exploiting a weakness in banks’ verification process that enables them to set up Apple Pay accounts with stolen card details.

So while Apple Pay itself hasn’t been compromised and its secure encryption remains impregnable, it is understood that banks in the US are scrambling to plug a hole in the verification and checking process that criminals have started to exploit.

The situation arises just as Apple prepares to expand Apple Pay to Europe.

Using stolen IDs and card details, the criminals are setting up new iPhones and then contacting the banks to provision a victim’s stolen card and other details in order to buy goods.

Credit or debit card details can be added to Apple Pay once a bank sends an encrypted version of the card details to store on the phone as a unique code.

As a result of the fraud emerging, banks are moving rapidly to tighten up their verification processes.

Criminals are believed to be exploiting a point in the verification process where the person setting up the Apple Pay account on his or her phone can choose to verify by email, text message, third-party app, customer service call, or Yellow Path authentication, in which a card requires additional provisioning by the bank to be added to Apple Pay.

It is the latter customer service call that the criminals are exploiting with success because some banks are asking for the last four digits of a social security number, information that is easy enough for identity thieves to get their hands on. Once the criminal has credit card details and a social security number, they can get the card verified on Apple Pay when the bank’s customer agent calls them.

Growing like a weed

On average, 11.5m Americans fall victim to identity fraud every year, a problem that affects 7pc of households. It is estimated that some US$24.7bn worth of identity fraud occurred in the US in 2013.

It is understood that every card issuer has reported some instances of fraud in this manner. According to the security researcher Cherian Abraham, who first noted the fraud, the fraud has hit 6pc of transactions.

“Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one is bold enough to call the emperor naked.”

The emerging fraud threatens the integrity and perception of tokenisation and biometrics before it properly goes mainstream. So who is at fault here, the banks or Apple Pay?

“What has happened is that Apple Pay itself is basically fraud-proof, so fraudsters have turned their attention to the next weakest link: credit cards before they’re added to an Apple Pay wallet,” explained Rurik Bradbury from Irish secure payments start-up Trustev.

“This is classic fraud via social engineering. Criminals use stolen credit card details (which can easily and cheaply be bought for on sites like Rescator.cm) and then trick banks into allowing them to be loaded onto an iPhone. Once loaded onto a phone, they can make purchases until the card is cancelled.”

For its part, Apple has re-affirmed in statements that Apple Pay itself is not at issue and that the weakness lies in the verification process before Apple Pay is activated.

“Apple Pay is designed to be extremely secure and protect a user’s personal information,” Apple has stated.

“During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com