Apple Pay fraud claims are a social engineering problem, not a technological one
Reports of Apple Pay being abused by fraudsters have been exaggerated, according to experts who say the issue is with bank security and not Apple's iPhone-based payment system.
The U-turn comes after articles by the Wall Street Journal and Guardian claimed Apple Pay had become a victim of fraud, blaming banks' inability to know for sure if the card holder was using Apple Pay to purchase goods, or if the system was being used with stolen details.
Stolen credit card details have been available to buy online for years, with some sellers distributing the details over the dark web.
Sitting at the doorstep of the banks rather than Apple, the problem lies with how banks verify the cardholder before letting them add the card to Apple Pay. Using so-called "green path" authentication checks gather the name and location of the iPhone being used, and whether or not the account holder has an extensive history of using the card in question for buying iTunes content stored on the phone.
If this path cannot be taken, the bank will then attempt "yellow path" authentication, which usually involves a phone call from the bank to check the user's details. The problem is most US banks only ask for the last four digits of the card holder's social security number, which is often shared with fraudsters when an identity is stolen.
The same old social engineering problems
Renowned Apple blogger Rene Ritchie described the problem as "the same old social engineering attacks being used in the same old way. It's absolutely a problem for banks and retailers and for people whose identities are stolen, but there's nothing to indicate it has anything to do with Apple Pay specifically."
Ritchie adds that, instead of blaming Apple Pay's security, the system "appears to be so secure the only thing criminals can do is try and trick banks at the other end of the chain."
Rurik Bradbury, chief marketing officer of e-commerce fraud website Trustev, chimed into the debate, describing Apple Pay as "basically fraud-proof," which caused fraudsters to "turn their attention to the next weakest link: credit cards before they're added to an Apple Pay wallet."
Agreeing with Ritchie, Bradbury adds: "This is classic fraud via social engineering. Criminals use stolen credit card details...and then trick banks into allowing them to be loaded onto an iPhone...they can [then] make purchases until the card is cancelled."
In a statement shared with various publications, an Apple spokesperson said: "Apple Pay is designed to be extremely secure and protect a user's personal information. During setup Apple Pay requires banks to verify each and every card, and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank."
Only available in the US for now, Apple Pay is tipped to launch in Europe soon, possibly to coincide with the release date of the Apple Watch. Apple is expected to disclose this - and the smartwatch's pricing structure - at a media event on 9 March.
© Copyright IBTimes 2024. All rights reserved.