A hot and heavy headline at the Wall Street Journal, “Fraud Comes to Apple Pay,” gives the impression of some kind of security weakness in Apple’s new payment system, but it’s not justified.
What has happened is that Apple Pay itself is basically fraud-proof, so fraudsters have turned their attention to the next weakest link: credit cards before they’re added to an Apple Pay wallet.
This is classic fraud via social engineering. Criminals use stolen credit card details (which can easily and cheaply be bought for on sites like Rescator.cm) and then trick banks into allowing them to be loaded onto an iPhone. Once loaded onto a phone, they can make purchases until the card is canceled.
Respected security researcher Cherian Abraham had previously written that — in some instances — Apple Pay fraud has been as high as 600 basis points (that’s 6% of transactions!). These are some serious teething troubles, as banks struggle to work out foolproof ways to validate that a card being added to Apple Pay is genuinely being used by that card’s owner.
As Rene Ritchie of iMore points out, this phenomenon is more like identity theft than Apple Pay fraud: the payment process is highly secure, and has not been compromised.
The banks are the ones footing the bill here, and taking huge losses in the land rush to be everyone’s default credit card for Apple Pay. It’s on them, not Apple to solve the issue, which is really more like “post-Apple Pay fraud.”
This post originally appeared at Trustev, and is republished with permission.