Apple Pay is so secure criminals so far have only been able take advantage of it by taking advantage of the banks behind it.
Sadly, identity theft and credit card fraud are nothing new. While Apple Pay does an enormous amount to secure the transaction process itself — merchants are given a one-time number instead of the card number to prevent expose in the case of data breach, for example — securing the banking process against basic social engineering attacks is something else entirely. When reached for comment, Apple told me:
"Apple Pay is designed to be extremely secure and protect a user's personal information," an Apple spokesperson told iMore. "During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank."
Apple provided the same comment to the The Guardian following an article which reported:
Criminals in the US are using the new Apple Pay mobile payment system to buy high-value goods – often from Apple Stores – with stolen identities and credit card details.
Banks have been caught by surprise by the level of fraud, and the Guardian understands that some are scrambling to ensure that better verification and checking systems are put in place to prevent the problem running out of control, with around two million Americans already using the system.
There's absolutely no way banks have been "caught by surprise" by any of this, though. It's the same old social engineering attacks being used on banks in the exact same way.
It's absolutely a problem for banks and for people whose identities are stolen, but there's nothing to indicate it has anything to do with Apple Pay. Furthermore, no one should be alarmed about Apple Pay in this context. Just the opposite — Apple Pay appears to be so secure the only thing criminals can do is try and trick the banks at the other end of the chain.
What's more, Apple does a lot to help banks avoid approving illegitimate cards. Apple securely transmits encrypted iTunes account information from the iPhone to the bank. That includes the device name, phone number, last four digits of the card, etc.
Using that information, banks can determine whether or not they'll authorize the card for Apple Pay. Banks can also choose to require a text message, email, customer service call, etc. before authorizing. All of this is publicly detailed in Apple's iOS Security Guide.
Banks are responsible for determining the appropriate balance of convenience and security for their customers. The goal is to keep fraud at an acceptable level while ensuring customers aren't inconvenienced by jumping through a bunch of hoops to use a credit card. If the amount of fraudulent card activation occurring with the banks current authorization mechanisms is too great, they will correct this by adding additional steps to the manual authorization process when customers call into the bank.
The Guardian, to its credit, points this out:
US banks are using a "green path" for cards they approve straight away on such data, and a "yellow path" for cards requiring more checks. But some banks have made the task too simple by asking callers to verify their identity with the last four digits of their social security number (SSN).
Though meant to be secret, SSNs are commonly stolen in identity theft, and on average 11.5 million Americans are victims of identity fraud annually, according to US data, with the average incident costing $4,930. In 2013 total losses from ID fraud in the US totalled $24.7bn. Nearly two-thirds of cases involve credit card details.
The paper cites a Drop Labs post on "green" vs. "yellow" path which also includes the following:
Though what follows was written in the context of Apple Pay, much of it translates to any other competitor – irrespective of origin, scale, intent, or patron saint."
Again, this has nothing to do with Apple Pay. Hopefully the banks targeted, however, will figure out how to better make the call on who and how they authorize cards.