Cybercriminals are using credit card data stolen during the Home Depot and Target data breaches to make fraudulent purchases via Apple Pay. Approximately 80% of the unauthorized purchases were for high-value items and were purchased using iPhones at Apple stores, according to a source of the Wall Street Journal.
Hackers have not compromised the Apple Pay encryption system. Rather, they are entering stolen credit card data into the mobile payment prompt to make a purchase. The system’s weakness lies in the verification process, which is controlled by the card-issuing banks.
“Apple Pay is designed to be extremely secure and protect a user’s personal information,” an Apple spokesperson told the Guardian. “During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay.”
Advertisement
Users can add their credit accounts to Apple Pay by taking a picture of a physical card, or by manually entering card information. This data is encrypted and sent to Apple’s servers, where it is decrypted, checked, re-encrypted and passed to banks for verification. This is known as the “green path” authentication system, which validates the card.
But the weakness rears its head in the “yellow path.” During this process, some cardholders’ banks take additional steps to verify account details. For example, some banks request the last four digits of the user’s social security number, which typically is already in the hands of fraudsters who have stolen credit card data.
Banks are bolstering their verification processes so consumers can feel at ease when they use Apple Pay to complete a transaction.
“The bank may send a one-time authorization code to the customer’s email or mobile phone that must be entered into the Apple Pay set-up,” said Robin Sidel, in a Wall Street Journal blog post. “Other banks may ask the customer to call a toll-free number where a customer service representative will try to verify the person’s identity with a series of questions about recent purchases or a home address.”
Multiple banks also are taking the extra step of asking customers to authorize their Apple Pay request by logging into their online bank account, according to the same Wall Street Journal post.
Mobile payments specialist and financial industry consultant Cherian Abraham first reported the situation on his blog: “At this point, every issuer in Apple Pay has seen significant ongoing provisioning fraud via customer account takeover.”
Abraham indicated that organized crime rings are handing out prepaid card data to mules around Miami, Fla. And Dallas, Tex., and are largely isolated: “In some cases, fraudsters are calling the bank’s call center themselves to ‘alert the bank about a trip out of town’ so that fraud rules looking for transaction anomalies (such as customer living in California and transacting in Miami) do not trip up as fraudulent transactions.”