The story that Apple Pay had been breached and was being used to commit fraud surged like lighting through Web news pages and social networks. But like many stories that go viral on the Web, the early accounts were less than fully accurate. Apple Pay and its security are just fine.
Unfortunately, the same thing can't be said about the banks that are working with Apple Pay. What happened is that the card-verification process that some banks use to approve adding a credit or debit card to Apple Pay is very lax at some banks.
In fact, the verification process is so sloppy that, in some cases, credit card numbers stolen during the Target breach nearly a year and a half ago are still being approved because a few banks don't even check the list of stolen cards.
To understand how this weakness came about, it's worth taking time to talk about how Apple Pay's approval process works. The normal process for adding a payment card to Apple Pay is to load the card information into an iPhone 6 or 6 Plus using the phone's camera to grab a photo of the card. That photo is then examined by the Apple Passbook software, which extracts the account owner's name and the card expiration date.
Apple Pay encrypts and transmits that data to Apple. Once Apple receives the data, it checks to see if the card is already on file in iTunes and if the phone matches the one in iTunes. If that's the case, the card is approved and added to the Passbook where it can be used for Apple Pay transactions.
Of course, most cards aren't in iTunes already. So Apple sends the card data, plus data on the phone and on the iTunes account to the bank that issued the card. It's then up to the bank to decide whether the card is valid and is being used by the right person. If the card is verified and approved, then it's added to Apple Pay and appears in the Apple Passbook.
In some cases, taking a photo of the payment card doesn’t work, either because the card is too worn for the numbers to be visible or because the card design obscures the numbers. In those cases, the user can enter the information from the card manually. This is when the fraud can happen, because criminals can easily insert the card information gathered from a data breach instead and hope that the bank will verify it anyway.
The verification process depends on the bank. In many cases, a third-party call center will make a verification call and ask for information that could easily have been gathered by cyber-criminals during the same breach that yielded the card number.