Verification methods used by many banks and credit card providers are leaving Apple Pay open to potential fraud, according to a new report by Drop Labs. While Apple Pay remains secure at a technical level – there have been no incidents of stolen iPhones being used for unauthorized purchases, or Touch ID or NFC being compromised — criminals are resorting to much lower tech methods of identify theft and social engineering to steal credit card information and use it with Apple Pay. In short, thieves are stealing credit card numbers the old fashioned way, and then loading them onto their own iPhones using Apple Pay, taking advantage of inadequate procedures used by some banks and credit card providers for verifying and authorizing cards to be used with Apple Pay.
As the Drop Labs report notes, all participating card issuers were required by Apple to build a “Yellow Path” for verifying cards added to Apple Pay. However, this experience varies with each issuer, with some requiring nothing more than a phone call – a method that can easily be used by an identity thief to add a stolen credit card to an Apple Pay device such as an iPhone. Part of the problem stems from this “Yellow Path” requirement initially being optional for card issuers, with Apple reversing course and making it mandatory less than a month before Apple Pay was actually launched. Card providers that had originally not planned out a “Yellow Path” verification process were thereby forced to build in this support on relatively short notice or miss the initial Apple Pay rollout.
While Apple Pay itself remains inherently secure, it’s ironically this secure “trust’ system built into Apple Pay — with features like Touch ID and secure NFC — that makes it more attractive for this type of fraud. Once a card has been verified and authorized for Apple Pay, no further checks and balances are implemented, making it easier to use a stolen credit card on an Apple Pay device than it would be to physically produce a counterfeit card from a stolen credit card number. [via Gizmodo UK]