Apple Pay hasn’t been hacked. But it does provide a new way to commit fraud. As The Wall Street Journal reported, criminals are loading stolen credit card data on iPhones in order to make fraudulent purchases, taking advantage of lax bank security requirements for authentication. With two million Americans already using Apple Pay, many more may follow – but who knows what percentage may be criminals.
eWeek.com provided a good overview of how the Apple Pay’s approval process works:
- The camera of an iPhone 6 or 6 Plus takes a photo of the credit or debit card
- Apple Passbook software extracts the name and expiration date, then encrypts and transmits the data to Apple
- If the photo doesn’t allow for extraction (poor quality or card is too worn), users are allowed to manually enter the card number
- Apple checks to see if the card is already on file in iTunes, verifying it through a match
- But most cards aren’t already in iTunes – so Apple sends card data, phone data and iTunes account info to the card-issuing bank
- If verified by the bank and approved, it’s added to Apple Pay and the Apple Passbook, and it’s ready to be used for purchasing
So really, whether or not fraud is successful is up to the bank’s verification process. Which, depending on the bank, may not be robust enough to stop fraud.
DarkReading.com quotes Javelin Strategy and Research’s Director of Security, Risk and Fraud:
The one constant we have seen for every mobile financial service thus far has been the issue of [bank account] takeovers, whether that be mobile banking, mobile RDC, or mobile payments. More needs to be done to ensure that the device to which data is provisioned belongs to the legitimate accountholder.
In response, banks are beefing up their identity verification process to ensure the cardholders are valid. Similar to two-factor authentication, once a card verification request is sent to the bank from Apple, the bank may send a one-time passcode (OTP) to the customer’s email or mobile phone that they must enter into a prompt to verify the card.
A more secure form of authentication may be via push notification sent to a user’s phone through an authentication mobile app. Learn more about Duo Mobile.
Some banks are even asking customers to authorize their Apple Pay request by logging into their online bank account (which may or may not provide more security, as not all banks require strong authentication, making it easier for criminals to also get access to online bank accounts and verify Apple Pay card requests that way).
Other banks are lacking in the basic security control that would allow them to compare the Apple Pay card numbers to card numbers that were previously reported as stolen, as some of the card data used by criminals were actually stolen from the Target and Home Depot breaches. If they were able to blacklist previously stolen card numbers, they could also significantly cut down on fraud carried out by Apple Pay.
The Problem with Social Security Numbers
Sometimes a third-party call center calls the bank to verify the card based on the security code on the back of the card, or simply by the last four digits of the user’s Social Security Number (SSN). But the problem with using only an SSN to verify an Apple Pay card is the fact that SSNs are also very easily procured, either by hacking a third-party database or by buying them off the black market, as DarkReading.com reported.
Further, SSNs and the system are inherently flawed, as NPR reported. The Office of Inspector General (OIG) found that about 6.5 million SSNs were linked to people aged 112 years or older – which doesn’t exactly match up with the fact that there are fewer than 40 people worldwide that are actually that age.
And that means the Social Security Administration (SSA) is having trouble resolving discrepancies of SSNs that belong to people that have died many years ago, as the OIG reported on the need to improve the accuracy and completeness of the “Death Master File” (seriously) in order to prevent future misuse of these SSNs.
Criminals are easily exploiting the current SSN system to commit fraud. One case involved a man that opened bank accounts using several different SSNs tied to birthdates of 1869 and 1893, making them 145 and 121 years old. The OIG report found evidence of even greater fraud, as individuals using over 60k SSNs reported $3.1 billion in total income from 2006-2011 – but the employees’ names on the earnings reports didn’t match the SSN-holders’ names.
At any rate, as mobile payment systems become more widely adopted and fraud rates increase, banks and application providers need to layer authentication security methods to prevent both account takeovers and the potential loss of a lot of money
Learn more about protecting customer payment data in our free eBook, A Modern Guide to Retail Data Risks.