Earlier this week it was reported that Apple Pay – Apple’s burgeoning contactless payment system – has already been hit by nefarious individuals looking to take advantage of a process that was touted for its high level of security. It seems that industrious fraudsters have discovered a way to use stolen credit card numbers and personal information to circumvent measures put in place to correctly identify a bank customer during the Apple Pay set-up process. But in this case, the issues doesn’t lie with Apple at all but with the banks that the Cupertino-based company has partnered with.
If you have gone through the step-by-step process of adding a credit card to Apple Pay on your iPhone 6, you probably already know that it is a fairly quick and easy affair. You simply launch the Passbook App and select the option to add a card, and within a matter of a few minutes your device is configured to begin making mobile purchases.
As part of that set-up process however, your bank is required to ask a series of security questions. Just exactly what those questions entail is entirely up to the institution that issued the card, with some requiring more specific information than others. Apparently, a number of the banks aren’t making it very difficult for identity thieves to complete this process using stolen data however, granting them the ability to set-up Apple Pay on their iPhones using someone else’s credit card information.
Just how bad has it gotten? According to the Wall Street Journal article linked to above, approximately 0.1% of all transactions conducted with a plastic credit card are fraudulent. Right now, it is estimated that about 6% of all transactions in Apple Pay are made using someone else’s information. That is an alarming number to the say the least, and should be cause for concern for both Apple and the banks.
Unfortunately, there is very little Apple can do about this problem at this time. As far as the tech-giant is concerned, all of the transactions are being fulfilled as expected, with customer data fully protected from prying eyes. The onus for fixing this Apple Pay security breach falls squarely on the shoulders of the banks, which must find a way to implement a better customer verification system moving forward.
In some instances the banks only ask for the last four digits of a customer’s social security number, which is often one of the first things that identity thieves are able to find. A two, or three step process using more personal information and specially generated security questions would probably help prevent this level of fraud.
It should be noted that not all banks are having issues with Apple Pay. On the contrary, when I set up the service on my iPhone, I had to answer a number of security questions prior to the card actually being activated. Afterwards I even received a letter in the mail from my bank confirming that I had added my debit card to my iPhone 6, which was a nice old school method of ensuring that it really was me that had completed the process. I remember at the time thinking that the set-up process was longer than I had expected, but now I understand why that was the case.
This story also underscores the idea that no matter how secure an online payment system might be, someone will find a way to exploit it. Apple’s transactions servers are too tough to crack and offer very limited information to begin with. So instead, thieves of chosen to attack the other parties involved with the Apple Pay system – the banks. At this point, it is their verification system that is the weak link.
I’m confident that Apple will work with their partners to improve the overall security of the service. It seems that some banking institutions were so eager to join the Apple Pay party that the were negligent in their verification process. I would expect that most of them will correct this problem in the very near future, and ensure that Apple Pay is incredibly secure from end-to-end.