Apple Pay might be taking over the world of mobile payments, but as with any new technology there are scammers looking to misuse the service. In the United States, criminals are reportedly using Apple Pay to buy expensive goods, often from Apple Stores, using stolen names and identities.
“I was surprised by the irony, but not by the fact that Apple as a merchant is seeing Apple Pay fraud,” Drop Labs commerce and fraud expert Cherian Abraham tells Cult of Mac. “As a luxury retailer it’s not a surprise that they are a retailer of choice to commit fraud.”
Abraham says banks are scrambling to solve the problem, which is already running into tens of millions in losses for financial institutions. Asked how widespread Apple Pay fraud is, he describes it as “rampant.”
Technically a credit or debit card may only be added to Apple Pay when an issuing bank sends over an encrypted version of the card details to store on the phone. However, this does not always happen. As the U.K.’s Guardian newspaper explains, “[Crooks] are setting up new iPhones with stolen personal information, and then calling banks to ‘provision’ the victim’s card on the phone to use it to buy goods.”
In some cases, thieves will even call bank call centers to alert them that they are going for “a trip out of town” so that situations like a customer living in one place but having transactions take place in another don’t trigger alerts.
The fault, Abraham says, is predominantly with banks, which are not being diligent enough when it comes to provisioning cards, thereby allowing identity theft to take place. “From issuer discussions I have had, Apple Pay fraud is a real and fast-scaling problem,” he says.
“Fraudsters move quickly,” Abraham continues. “They find something they can exploit, they scale quick and then move on. I believe these are sophisticated groups that are handing out pre-provisioned Apple Pay devices to ‘mules’ who walk in to stores and commit fraud on camera.”
But Abraham says Apple isn’t entirely blameless either. “Apple’s responsibility lies in securing the provisioning process end-to-end, so that it can convince the customer adequately that their credentials will not be stolen or used without permission, and the issuer who chose to partner,” he says. “I still believe that Apple was slow in recognizing the importance of the Yellow Path (i.e. when cards require more checks to be employed) and why a haphazard approach to build one will lead to untold losses in fraud.”
Working out the scale of Apple Pay fraud is tricky, since card issuers don’t typically break out fraud losses publicly. Cult of Mac reached out to a pair of large credit card companies, but received no response. Since Apple Pay is used by fewer customers than credit cards are, it is tough to do straightforward comparisons.
“There are no silver bullets here,” says Drop Labs’ Abraham, although he believes a more “layered approach” to security will help cut down on fraud — based on a better verification system for card provisioning.
Ultimately, identity theft is far from a problem that arrived with Apple Pay. If there are ways to make the mobile payment system more secure, however, it would be in the interests of everyone to take advantage of them.