Skip to main content

Unable to target Apple Pay, criminals unsurprisingly stick to bank fraud, identity theft

Apple Pay is so secure criminals so far have only been able take advantage of it by taking advantage of the banks behind it.

Sadly, identity theft and credit card fraud are nothing new. While Apple Pay does an enormous amount to secure the transaction process itself — merchants are given a one-time number instead of the card number to prevent expose in the case of data breach, for example — securing the banking process against basic social engineering attacks is something else entirely. When reached for comment, Apple told me:

"Apple Pay is designed to be extremely secure and protect a user's personal information," an Apple spokesperson told iMore. "During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank."

Apple provided the same comment to the The Guardian following an article which reported:

Criminals in the US are using the new Apple Pay mobile payment system to buy high-value goods – often from Apple Stores – with stolen identities and credit card details.Banks have been caught by surprise by the level of fraud, and the Guardian understands that some are scrambling to ensure that better verification and checking systems are put in place to prevent the problem running out of control, with around two million Americans already using the system.

There's absolutely no way banks have been "caught by surprise" by any of this, though. Not unless they thought Apple Pay was "elfin magic", and even then that would speak to far greater problems in the banking industry than with Apple Pay. These are the same old social engineering attacks being used in the same old way.

It's absolutely a problem for banks and retailers and for people whose identities are stolen, but there's nothing to indicate it has anything to do with Apple Pay specifically. Furthermore, no one should be alarmed about Apple Pay in this context. Just the opposite — Apple Pay appears to be so secure the only thing criminals can do is try and trick the banks at the other end of the chain.

What's more, Apple does a lot to help banks avoid approving illegitimate cards. Apple securely transmits encrypted iTunes account information from the iPhone to the bank. That includes the device name, phone number, last four digits of the card, etc.

Using that information, banks can determine whether or not they'll authorize the card for Apple Pay. Banks can also choose to require a text message, email, customer service call, etc. before authorizing. All of this is publicly detailed in Apple's iOS Security Guide{.nofollow}.

Banks are responsible for determining the appropriate balance of convenience and security for their customers. The goal is to keep fraud at an acceptable level while ensuring customers aren't inconvenienced by jumping through a bunch of hoops to use a credit card. If the amount of fraudulent card activation occurring with the banks current authorization mechanisms is too great, they will correct this by adding additional steps to the manual authorization process when customers call into the bank.

As long as banks and retailers understand and implement the system and safeguards provided, there shouldn't be a problem.The Guardian, to its credit, points this out:

US banks are using a "green path" for cards they approve straight away on such data, and a "yellow path" for cards requiring more checks. But some banks have made the task too simple by asking callers to verify their identity with the last four digits of their social security number (SSN).Though meant to be secret, SSNs are commonly stolen in identity theft, and on average 11.5 million Americans are victims of identity fraud annually, according to US data, with the average incident costing $4,930. In 2013 total losses from ID fraud in the US totalled $24.7bn. Nearly two-thirds of cases involve credit card details.

The paper cites a Drop Labs post on "green" vs. "yellow" path which also includes the following:

Though what follows was written in the context of Apple Pay, much of it translates to any other competitor – irrespective of origin, scale, intent, or patron saint."

Again, this has nothing to do with Apple Pay. Hopefully the banks targeted, however, will figure out how to better make the call on who and how they authorize cards.

Nick Arnott contributed to this article.

Rene Ritchie
Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

37 Comments
  • Well, there is always Samsung Pay ;)
  • I saw what you did there :)
  • Try as you may, Rene, the tech media universe will blame this totally on Apple. Apple Pay will be described as a fraudster’s delight. Just like Chinese labor issues, Greenpeace tantrums, overseas tax havens, etc., this will be all Apple’s fault. Wait for it.
  • Exactly! Whether this is on the bank's end or not, it involves an Apple product or service, so they'll get the blame and the bad press, unfortunately.
  • Be they Forbes or NYT.. They don't care .. it's all about traffic readers... Some put a little more effort to fact checking than others... That said.. I'm very surprised The Guardian even bothered to make note at the end it wasn't really an Apple issue; but a bank verification process failure. Probably just protecting their own skins... Bait and Switch title reporting.. hate that.. Really they just wanted to take advantage of the chance to put Apple in the title.
  • And that's sadly a major problem with so called modern 'journalism'. Posted via the iMore App for Android
  • Rene's articles are hook and bait to some and to others good advice and sound reporting.
  • You are *so close* to getting why the banks may have been caught by surprise: "What's more, Apple does a lot to help banks avoid approving illegitimate cards. Apple securely transmits encrypted iTunes account information from the iPhone to the bank. That includes the device name, phone number, last four digits of the card, etc." If I am reading the article correctly, that was exactly what happened here -- scam artists steal people's personal information, and then set up apple accounts with that information. This information which was then (in part) transferred to the bank. The key point here is that *the banks trusted that Apple had vetted this data*, and Apple clearly had not. Just as clearly, as financial institutions the banks are at fault for not checking in greater detail, but, if Apple wants to get into financial services more than for just its own stores, it is going to need to shoulder some of that burden, as well. Edit: Just to double clarify -- the banks screwed up here, no question.
  • My read is that Apple is providing information and secondary check procedures banks may not be using. Since only banks have the complete customer picture, only that can make the call on authorization. Again, seems no different than any other identity theft and fraud attack, the only difference is that the card is in Apple Pay instead of a leather wallet. What else would you like to see Apple do, that Apple could conceivably do?
  • The problem I see here, is if this was Google wallet or Samsung Pay, your article would be attacking those services vs playing the apologetic role and stating how Apple did everything it could. You would NEVER say Samsung did everything it could or Google did. This is why I prefer android central over this site. They never attack apple. They state both sides of the argument. All you do is praise Apple here and throw every other thing under the bus. Even with the announcement of Samsung Pay you made it seem as if Samsung copied Apple, though google wallet has been out for years AND the big difference here is Samsung is actually innovating by adding MST support which will be a game changer. Even google didnt bring this on board. But you never give credit where it is due unless its to the almighty Apple
  • the article offers a suggestion: "the only thing Apple could have done better was to anticipate the problem, made it mandatory [to call] and helped build a better ‘yellow path’" While Apple is clearly not at fault, this article highlights that Apple Pay and other secure payments methods aren't very secure at this time as they claim to be as security is only as strong as the weakest component (and this appears to be the banks). If Apple provides users access to a bank that doesn't take security seriously, Is Apple to blame? (most would argue no, but some may differ)
  • I was not clear enough - my fault. This is no different than any other identity theft, other than the Apple vector. The banks should be checking, and it is ultimately their responsibility here. However, if Apple has designs on the iTunes/iCloud identity applying outside of Apple - and it appears they do - they also need to take stronger verification measures themselves. You correctly say that banks may not be using Apple's secondary information, but you do not take the next step of noting that in these fraud cases the banks would have been better off without *any* information from Apple, as Apple's information on those users was fraudulent. Setting aside for the moment that banks should not trust anything, how much confidence does that generate in your business partner when you cannot know if the information (s)he passes is legitimate? As for what Apple can do, I don't know - it depends how deeply they want to embed themselves in financial services. If the above does not bother them, they don't have to do anything other than remind the banks they (Apple) is not authoritative. If they have grander designs, then yes, they are going to have to set up some manner of independent verificTion.
  • There is no doubt that the Apple Pay system is secure due to the use of encryption methods and one time tokens but the system is obviously still being targeted through the use of identity theft and fraud at the weak end of the system which is the banks verifying the card and persons identity. This is the banks issue as stated and not Apple's directly but your article title is so wrong as these criminals are targeting the Apple Pay system by using the bank exploits, after all according to the article they aren't using the persons physical creditcard they are using Apple Pay to complete transactions so you really should be more factual Rene. It would be interesting to see the stats on Google wallet mobile payments for purchasing fraud as a comparison as I've never heard of this happening with Google wallet.
  • What's incorrect about the title?
  • "Unable to target Apple Pay" that's what's wrong with the title. These criminals are targeting Apple pay through identity theft and credit card fraud to use Apple pay for purchases.
  • I think the title should have read "With Help from Apple Pay, Criminals Are Committing Identity Theft"
  • It should read:
    "Through targeting Apple Pay, criminals unsurprisingly achieve bank fraud, identity theft"
  • And this is why Apple must start their own bank. I'd be first in line.
  • Private and secure my ass. This fraud is neigh impossible to carry out on Google Wallet.
  • How? I have Wallet but if you stole someone's credit card and put it in your Wallet account, wouldn't host care emulation in Wallet also help conceal transactions from a stolen card just like here?
  • Nope, you'd be alerted immediately. You get an email, and notification, on all your devices, every time the wallet app is activated, a new card is added/removed, pin number is changed, or a purchase is made with Google Wallet. That's the benefits of a secure cloud synced backend. I remember Wallet refusing to allow a card I shared with my wife. They needed address verification and other proof.
  • Oh yeah you are right I forgot
  • I don't have Google Wallet (or Apple Pay for that matter). If someone stole my credit card, then set up a GW account with it this process would not provide me any protection at all. So, question for someone with Apple Pay knowledge, would trying to re-use an already registered card trigger some kind of fraud prevention in Apple's system? At the moment it looks like Google have better off-device security and Apple have better on-device security, but they both have the same potential problems for identity/card theft.
  • Apple Pay doesn't have a cloud backend, so I doubt it does.
  • In other words, you don't know.
  • Yes it would. If the card were previously registered with a different iTunes account is should be declined in the set-up process. I suspect the fraudsters are using cards that were never previously registered and linking them to fresh new fake iTunes accounts. The fraud being committed as described in The Guardian's article is perpetrated using stolen credit cards and ID, the criminal's iPhone, and a fake iTunes account. Setting up a new CC for use on Apple Pay encrypts & sends your CC details, and your device name (i.e. chr0m4tic's iPhone) to Apple where it is decrypted, added to your iTunes account info and purchase history, re-encrypted and forwarded to the card's issuing bank for verification and approval.
    If banks were performing due diligence to prevent fraud they would only 'Green Path' customers with a long-standing iTunes purchase history. All others should be 'Yellow Path' for further checking.
  • I have Two-factor verification on my apple account and it alerts me all the time, I can't even sign into iCloud without having a trusted device with me, I doubt Apple isn't alerting Apple Pay users anytime a new card is added.
  • The problem is Apple, the Media, made Apple Pay out to be fool proof and the end to fraud. But as we find out it's just as vulnerable as the rest of them. Give it a little time and the thieves always figure away around security.
  • Link please, or it didn't happen.
    Apple Pay was never portrayed as fool-proof in the media. It is, however, much more secure than the magnetic stripe system currently used is the U.S.
    No security system is perfect, nor does it have to be. It just needs to be good enough to make the criminals look for easier targets elsewhere.
  • Apple Pay is so flawless, yo!
  • You didn't read the article did you, yo!?
  • As we have just found out once again, a data processing system is only as good and foolproof as the validity of the information ENTERING the system at one or other end, and it has always ever been thus. Very much like introducing bit/byte errors at the ingresss point of a fibre-optic link, a properly-functioning SDH/SONET system will faithfully reproduce the same errors at the egress point. In short, garbage in, garbage out... Having been the victim of a Social Engineering identity theft attack, I know only too well that the safeguards already in place (secret word, PIN etc) are only as foolproof as the various bank/merchant call-centres allow them to be. A clever fraudster called up the Customer Centre of my bank claiming to be a victim of identity theft, and then pretended not to know the full details of my account (I had a secret word and PIN set up) - it was simply sufficient for the thief to claim he/she was a victim, and pretend to panic, sob and weep, for the operative to skip the final authentication step and change my PIN in response to what was perceived to be a distress call. Thankfully (not luckily, but by my design) I had set up SMS text alerts for heavy withdrawals from my checking account, and through my online banking facility, caught the fraud on the 3rd day of ATM withdrawals. The bank instantly recognised that its Customer Centre had not been stringent enough with regard to ID authentication and refunded the amount taken without my having to file a claim, in a matter of hours of my alerting them...
  • Yes, Apple is perfect as you've repeated time and time again. I am sure they will never get hacked and when they get hacked, it won't be their fault (iCloud). Nearly trillion dollar market cap and iTunes still isn't web based. Pure crap!
  • Meow! And web based? Ew Sent from the iMore App
  • I seriously feel like the biased editorials and reporting is almost sponsored. It almost feels like someone has found a "talking head" to manipulate. I know that's not the case it just reads that way. These articles have been coming hot and heavy in the last few weeks. We would go a week or so without reading fanboy vomit, now it seems like it's a headline 3 or 4 times a day. Smells fishy.
  • I have many years that I read the "talking head" articles before sleeping. I sleep well when I read crap articles and Rene is full of crap ;)
  • I feel the same about the verbal diarrhoea in the comments from owners of other manufacturers smart-phones.