Fraudsters Exploit Weakness in Apple Pay


Mark Scott, J.D., CFE
ACFE Research Specialist

Most of us carry around smartphones that are more intelligent than we are. And for many of us, our smartphones permeate almost all aspects of our lives. We use smartphones in place of watches, alarm clocks, maps, music players, and it seems that very soon, we will use them to replace cash and credit cards.

Unfortunately, because criminals are adept at identifying and exploiting the weak links in new technologies, the ever-expanding capabilities of smartphones have created new avenues for fraud.

Consider the recent news about the high rates of fraud in Apple Pay, Apple’s mobile electronic payment system that launched in October 2014. Apple Pay was meant to improve credit card security, but according to some reports, the new service makes it easier for criminals to commit credit card fraud.

But, it’s important to note that the Apple Pay “fraud problem” has nothing to do with security flaws in the Apple Pay mobile transaction protocol — the Apple Pay mobile-payment system itself hasn’t been hacked. Instead, fraudsters are using Apple Pay as a vehicle to make fraudulent purchases with stolen credit cards by exploiting weaknesses in the bank-side process used to approve new credit cards loaded into Apple Pay.

Before credit card data can be used for Apple Pay transactions, the bank that issued the card must verify that it’s valid and is being used by the appropriate person. Unfortunately, there are some credit card issuers with weak verification processes for the Apple Pay mobile-payment system; of course, the fraudsters focus their efforts on exploiting such weaknesses. 

What happens is a form of account takeover in which the fraudsters load already stolen credit card data into the Apple Pay platform, allowing them to create a fraudulent digital credit card that they can use to make fraudulent purchases in brick-and-mortar stores.

The fact that Apple Pay provides criminals a means through which they can use stolen card data to commit fraud in brick-and-mortar stores is a development that concerns online security expert Brian Krebs: “Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.”

This situation highlights the creativity and inventiveness of fraudsters. While Apple Pay was touted as a safer alternative to credit cards and perhaps the most secure method of payment available, enterprising criminals took little time to identify and exploit the security weakness in this emerging technology for financial gain. 

It also points to the risks in placing too much reliance on new and unproven technologies, and illustrates the old adage that security is only as strong as the weakest link. In a world where we’re more digitally connected than ever before, speed is essential, but moving impetuously can be unsafe.