Apple Pay Hit With Fraud

Fraudulent transactions involved credit card data stolen in previous retailer data breaches.

March 09, 2015

NEW YORK – The Wall Street Journal reported last week that Apple Pay has been hit “by a wave of fraudulent transactions” using credit card data stolen during data breaches that took place at large retailers including Home Depot and Target. About 80% of the unauthorized transactions were made for merchandise purchased via smartphones at Apple’s own stores.

While the Apple Pay system itself was not hacked, thieves are entering the stolen card data into phones, “which can then be used to make purchases without a physical card being present.” An Apple spokesman told the newspaper: “Apple Pay is designed to be extremely secure and protect a user’s personal information.”

The newspaper says that this situation “highlights how compromised card data can be valuable to cybercriminals long after merchants secure holes in their payment systems.”

In this situation, says the newspaper, Apple left the process of verifying questionable cards up to the banks’ discretion. Depending on the bank, different steps are often required to confirm a user’s identity, such as requiring customers to log into online accounts and authorize Apple Pay, to calling a customer-service rep for card set-up.

A spokesman for PNC Financial Services Group Inc. told the newspaper that the bank has seen 35 cases of fraud among thousands of Apple Pay customers. “We have looked at our processes and we believe we have very strong know-your-customer processes in place to prevent any additional cases,” he said.

Apple is working with card networks to mask user information by issuing a one-time code for each purchase, but this doesn’t stop thieves from loading card data that has already been stolen.

“Apple Pay is formidable, but it still sits on a loose foundation,” Richard Crone, chief executive of Crone Consulting, commented.

“The lesson here is that authentication at enrollment time is just as important as authentication at time of purchase," commented Gray Taylor, executive director of Conexxus. “Tokenization has promise in protecting card data, but it will also protect stolen card data just as well – meaning we, as a society, need to get serious about our digital identities."

 

For a deeper dive into the pros and cons of Apply Pay read the NACS Magazine article, “Apply Pay, at Its Core” from our January issue.

Advertisement
Advertisement
Advertisement