Apple Pay doesn't require a physical credit card. So fraudsters are apparently taking advantage of this and using credit card info stolen from retail breaches.
Criminals are using Apple Pay
to commit fraud by using credit card information stolen in breaches at Target and Home Depot, according to a report
in The Wall St. Journal
Apple did not respond to a request for comment from eWEEK
about the alleged fraud.
The basic premise behind the alleged fraud is that the Apple Pay system does not require the physical card to be present, which is what helps enable the criminal activity.
All that is needed to set up Apple Pay is an iPhone and the information from a credit card, said Patrick Nielsen, senior security researcher at Kaspersky Lab. "So, Apple Pay effectively lets you manufacture a credit card that can be used in stores using information from data breaches," Nielsen said.
Attackers can't use the credit card and Social Security number details from a data breach for much in stores, unless they actually make a physical card or set up a custom near-field communication (NFC) transmitter, Nielsen said. In contrast, with Apple Pay, a fraudster just needs the phone, he added.
"Turning stolen credit card information into cold, hard cash is actually pretty difficult to do online, so it's not at all surprising that this is happening," Nielsen said. "In fact, cyber-criminals going after Apple Pay and other new payment technologies was one of our predictions for 2015."
Damien Hugoo, product manager at security specialist Easy Solutions, also was not all that surprised about the report of Apple Pay being leveraged as a potential mechanism for fraud. When Apple Pay first went live in October, he outlined in a blog post
that there was no disclosure around how the card activation process would work.
At the root of the fraudulent activity is the fact that the physical card is not present; this type of crime will continue to grow, Hugoo said.
With Apple Pay, all the liability is on the banks, Hugoo said. "Apple Pay is just the messenger transmitting and provisioning the card token," he added. "The banks have a need to verify if the card was stolen or not to reduce their risk on payment-related fraud chargebacks."
In contrast, when a user enters a credit card number on an e-commerce site, the site is liable for any payment-related fraud chargebacks, Hugoo said. E-commerce sites invest heavily in fraud-prevention solutions to detect anomalies with devices, users, etc., because they have a vested interest in reducing chargebacks, he added.
Apple Pay does have a number of preventative security measures in the system, according to Nielsen. "When the bank is asked by Apple Pay whether to authorize adding a credit card to your device, information about your iTunes account, location and more are transmitted along with the request," Neilsen said. "Banks can use this information to deny adding U.S. cards to devices that are currently in some country halfway around the world—but these measures are far from perfect."
In some cases, all the data needed to make a legitimate-seeming request, like the real credit card owner's zip code, is included in the information that is obtained from a data breach, Nielsen said.
To further protect against potential fraud, there is more that both Apple and the banks can do to limit risks and improve overall security. A lot of blame is being put on banks, but it's important to remember that Apple is allowing criminals to sign up for fake iTunes accounts, and to add the stolen credit card information before the banks are even asked whether to authorize the card, Nielsen said. He suggested that the process could be made more difficult by Apple.
When any of the details in a card request seem suspicious, the banks should take measures to confirm that the person attempting the authorization is who they say they are, Nielsen said. One challenge is the fact that when some banks regard a request as suspicious, they will just ask for a person's Social Security number (or the last four digits of it) to complete the process of adding the card to Apple Pay, he said.
"In general, we need to stop thinking of Social Security numbers as passwords, when, really, they're more like user names," Nielsen said. "They are a unique identifier for you, but somebody knowing the number does not prove in any way that they are you."
Hugoo said that banks and Apple need to work together to detect stolen credentials early and that starts with getting more data from the device and transmitting it to the issuer bank for risk assessment.
"Mobile devices and the data they contain are such great assets to detect behavioral anomalies. Why not use it?" Hugoo said. "We recommend that banks look into leveraging their mobile apps for additional verification."
While Apple Pay is reportedly being used to commit fraud, Nielsen noted a certain irony in its use by fraudsters: The Apple Pay fraud is enabled by credit cards that were stolen from data breaches at retailers.
"The more you use Apple Pay, the smaller the chance of this kind of fraud affecting you will be, because the technology used is resistant to cross-channel fraud, i.e. leaking your actual card information," Nielsen said. "If criminals can't get your card information from data breaches elsewhere, they can't add it to their Apple Pay accounts."
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist