News Feature | March 10, 2015

Is ApplePay Really Secure?

Source: Innovative Retail Technologies
Christine Kern

By Christine Kern, contributing writer

Security of payment system questioned, reveals bank verification issues.

Apple Pay is being hit by multiple fraudulent transactions using stolen identities and payment credentials, according to the Wall Street Journal.

The Guardian first reported fraud issues with Apple Pay, and the story spread like wildfire. However, it appears that not only is the problem less widespread than first suspected, and it is a verification problem at banks and not with Apple Pay’s mobile encryption. 

But after initial reports that the problem was alarmingly widespread have been tempered, the discovery reveals a critical flaw in the system, with the problem resting largely with banks. The Guardian reported that “banks are rushing to stem the tide” of fraudulent transactions utilizing ApplePay. 

Apple Pay’s fingerprint encryption hasn’t been breached; instead thieves are creating a work-around by setting up new iPhones with stolen data and calling banks to verify details. Ironically, thieves are apparently targeting Apple stores in particular because they’re guaranteed to accept the mobile payment system, not to mention stock the iPhones needed to further the scam.

“At this point, every issuer [bank] in Apple Pay has seen significant ongoing provisioning fraud via customer account takeover,” said Cherian Abraham, a mobile-payments specialist who is a consultant to US finance groups, on his blog.

Abraham explained that the scams are run by organized gangs: “In some cases, fraudsters are calling the [bank’s] call center themselves to ‘alert them to a trip out of town’ so that fraud rules looking for transaction anomalies (such as a customer living in California and transacting in Miami) do not trip up [as] fraudulent transactions.”

The reality is that thieves will continue to exploit weaknesses in any system, a fact that  retailers, banks, and credit card companies have accept.  With each new technology, new methods of compromising it will soon follow.

"We should see Google, Samsung, PayPal, Amazon, and many others [offering mobile payment solutions] in the near future,” mobile payments specialist Cherian Abraham told the Verge.

“If so, it quickly becomes clear that a call center-oriented approach does not scale, when I have a need to add my card to the latest ‘thing.’ The preferred approach will be one that is scalable and secure, without being inconvenient. So even though we realized this is an issue through Apple Pay, the fix has to be bigger than that. The response has to be one that accounts for an exponential increase in entities like Apple Pay."